diff --git a/terraform/rustc-ci/.terraform.lock.hcl b/terraform/rustc-ci/.terraform.lock.hcl
index 1d368506f..5144f0431 100644
--- a/terraform/rustc-ci/.terraform.lock.hcl
+++ b/terraform/rustc-ci/.terraform.lock.hcl
@@ -2,41 +2,46 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "3.63.0"
-  constraints = "~> 3.59"
+  version     = "4.67.0"
+  constraints = "~> 4.20, ~> 4.28, ~> 4.67"
   hashes = [
-    "h1:v9aPF3aaBpk0uSO5pfggYJKGgP/Ur28hZRJs1jS+ttI=",
-    "zh:42c6c98b294953a4e1434a331251e539f5372bf6779bd61ab5df84cac0545287",
-    "zh:5493773762a470889c9a23db97582d3a82035847c8d3bd13323b4c3012abf325",
-    "zh:550d22ff9fed4d817a922e7b84bd9d1f2ef8d3afa00832cf66b8cd5f0e6dc748",
-    "zh:632cb5e2d9d5041875f57174236eafe5b05dbf26750c1041ab57eb08c5369fe2",
-    "zh:7cfeaf5bde1b28bd010415af1f3dc494680a8374f1a26ec19db494d99938cc4e",
-    "zh:99d871606b67c8aefce49007315de15736b949c09a9f8f29ad8af1e9ce383ed3",
-    "zh:c4fc8539ffe90df5c7ae587fde495fac6bc0186fec2f2713a8988a619cef265f",
-    "zh:d0a26493206575c99ca221d78fe64f96a8fbcebe933af92eea6b39168c1f1c1d",
-    "zh:e156fdc964fdd4a7586ec15629e20d2b06295b46b4962428006e088145db07d6",
-    "zh:eb04fc80f652b5c92f76822f0fec1697581543806244068506aed69e1bb9b2af",
-    "zh:f5638a533cf9444f7d02b5527446cdbc3b2eab8bcc4ec4b0ca32035fe6f479d3",
+    "h1:5Zfo3GfRSWBaXs4TGQNOflr1XaYj6pRnVJLX5VAjFX4=",
+    "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060",
+    "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6",
+    "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183",
+    "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1",
+    "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29",
+    "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7",
+    "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043",
+    "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362",
+    "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf",
+    "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b",
+    "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c",
+    "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c",
+    "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d",
   ]
 }
 
 provider "registry.terraform.io/integrations/github" {
-  version     = "4.16.0"
+  version     = "4.31.0"
   constraints = "~> 4.0"
   hashes = [
-    "h1:IrC2CowOQFtQCwDsysvS1fb46197Z5i0wIKslB1GnF8=",
-    "zh:24454b9082c5793d288e560d631c49ca4a803c26f151cb2853adb8966403f672",
-    "zh:2fbac366eaa67ef6ba0ad3714cbf0a795303bc8f1131bafec3bfa02fc87c90fb",
-    "zh:2fdf6daa059d4e996ed908d4a35dd65f681914f521ba7e47e57f292e4de525d2",
-    "zh:31704c3b3963a6ef18e38812cec6993e3f81c31e8a76ee047b2fc0e5cbb176d3",
-    "zh:84ef0f7002717d63b10457b83df7c649a4e347f2ebcd69c1912190938a1fb6c5",
-    "zh:8ed0af87ce15eece9414870134a8b68dfef064da8d584167366bdda824159f45",
-    "zh:995c61d6d6e3b1d2c020a6666fe9ab73b6eebddfb1c6209c9711bf26d62781fd",
-    "zh:9c2bed37302f4414eefc6751c0e2cba702d76286caaa4ea931d218c544e52e63",
-    "zh:b2b28adbff9cc2fcfa221de4cdf8b2b17bd4fdd7c6ba5aa73153387e02d4e7f5",
-    "zh:b7143da120c9799233f667e738dc94e49e9a325689aa4ca629766ec6577300a6",
-    "zh:f671bb37978affb5ff876c9fb1815fdcad52549f607276db7c0c70ed345efddd",
-    "zh:f6bbd2b6ee07a47959804e2eeec94cd8b2ac0a90febc322ed87f84efd0e9df4e",
-    "zh:ff21d2a68c7b63dda5bfacee500943fc6931bdac536b50396fa36d2f07b0177c",
+    "h1:FkBft5JlVtlcYcEM0CiphlFWgjBFQVziJMwrowuBIoc=",
+    "zh:07208ecc74804fbdd554830de79627f3e58633fc417b12dc29aafaceae01e427",
+    "zh:0dca3802a7ea1ba4812c866bf202e62aef6c8995db8856fdb5b4d1d81b505518",
+    "zh:24e6a56b34b3e0dca6ca0d6f22d0a31dda6a3256713492902c39ce9edd14acbd",
+    "zh:42e41fa4e61218973615b7e5d564119bb5c728ee40b881539964cd704632d8c0",
+    "zh:6aa6bb04fdc00c3c762122e96ee7c19abfb8e42dc5d3a720b5767dbb4cfa274d",
+    "zh:74ea4bbad825eee831d37940760459786460fe492e1b30acb5c91c9edd14a5ea",
+    "zh:8e170f6d5e46c08fbc3b5ff251075382f75b53a66a83b7b005099fb99ad94f24",
+    "zh:9164b611e7318e3d08cc84513d3d8c27bd12336a7721a894cb3d346b60286233",
+    "zh:91d3397f021c5a9fedff36f84635ffc3169224494629bb4a578356a05091e182",
+    "zh:b061e1529499bf40f8f14c9c8116787dd50f6fd3d64ad38d77cd39db77e98ae9",
+    "zh:c9daff626f7a55c01db79b6ccc462948bf854d976c73def306ae9ae09e5afe1b",
+    "zh:ec7e223ae7d6292b8425b7190e801f1098a647d2aee3132761d37fd75cfcfe07",
+    "zh:f2001b2a2f7049fc74ffe54d7bc48c9dfec80956f468a2c8a550c5071d077dbd",
+    "zh:f75ec1e71924c50b346bced15883c626f697ffd3ee6c4bb2835e4170fe65215a",
   ]
 }
diff --git a/terraform/rustc-ci/_terraform.tf b/terraform/rustc-ci/_terraform.tf
index bd3c39770..cded8a311 100644
--- a/terraform/rustc-ci/_terraform.tf
+++ b/terraform/rustc-ci/_terraform.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.59"
+      version = "~> 4.67"
     }
   }
 
diff --git a/terraform/rustc-ci/environments.tf b/terraform/rustc-ci/environments.tf
index a13be8f76..c8224cf27 100644
--- a/terraform/rustc-ci/environments.tf
+++ b/terraform/rustc-ci/environments.tf
@@ -5,8 +5,9 @@ module "public" {
     aws.east1 = aws.east1
   }
 
-  iam_prefix = "ci--rust-lang--rust"
-  repo       = "rust-lang-ci/rust"
+  iam_prefix  = "ci--rust-lang--rust"
+  repo        = "rust-lang-ci/rust"
+  source_repo = "rust-lang/rust"
 
   caches_bucket    = "rust-lang-ci-sccache2"
   caches_domain    = "ci-caches.rust-lang.org"
@@ -17,6 +18,7 @@ module "public" {
 
   delete_caches_after_days    = 90
   delete_artifacts_after_days = 168
+  response_policy_id          = data.terraform_remote_state.shared.outputs.mdbook_response_policy
 }
 
 module "security" {
@@ -26,12 +28,14 @@ module "security" {
     aws.east1 = aws.east1
   }
 
-  iam_prefix = "ci--rust-lang-ci--rsec"
-  repo       = "rust-lang-ci/rsec"
+  iam_prefix  = "ci--rust-lang-ci--rsec"
+  repo        = "rust-lang-ci/rsec"
+  source_repo = "rust-lang-ci/rsec"
 
   caches_bucket    = "rust-lang-security-ci-caches"
   artifacts_bucket = "rust-lang-security-ci-artifacts"
 
   delete_caches_after_days    = 30
   delete_artifacts_after_days = 90
+  response_policy_id          = data.terraform_remote_state.shared.outputs.mdbook_response_policy
 }
diff --git a/terraform/rustc-ci/impl/_terraform.tf b/terraform/rustc-ci/impl/_terraform.tf
index f81f607f4..8063a4388 100644
--- a/terraform/rustc-ci/impl/_terraform.tf
+++ b/terraform/rustc-ci/impl/_terraform.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = "~> 3.59"
+      version               = "~> 4.67"
       configuration_aliases = [aws.east1]
     }
   }
@@ -55,3 +55,13 @@ variable "repo" {
   description = "GitHub repository to authorize"
   type        = string
 }
+
+variable "source_repo" {
+  description = "GitHub repository to authorize for roles"
+  type        = string
+}
+
+variable "response_policy_id" {
+  description = "CDN response policy"
+  type        = string
+}
diff --git a/terraform/rustc-ci/impl/artifacts.tf b/terraform/rustc-ci/impl/artifacts.tf
index d1a5c54e6..2724cdc79 100644
--- a/terraform/rustc-ci/impl/artifacts.tf
+++ b/terraform/rustc-ci/impl/artifacts.tf
@@ -123,6 +123,7 @@ module "artifacts_cdn" {
 
   domain_name        = var.artifacts_domain
   origin_domain_name = aws_s3_bucket.artifacts.bucket_regional_domain_name
+  response_policy_id = var.response_policy_id
 }
 
 data "aws_s3_bucket" "inventories" {
@@ -148,3 +149,67 @@ resource "aws_s3_bucket_inventory" "artifacts" {
     }
   }
 }
+
+resource "aws_iam_role" "try_builds" {
+  name = "${var.iam_prefix}--try-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Principal = {
+          Federated = "arn:aws:iam::890664054962:oidc-provider/token.actions.githubusercontent.com"
+        }
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:sub" = "repo:${var.repo}:ref:refs/heads/automation/bors/try"
+          }
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "put-objects"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid    = "ArtifactsBucketWrite"
+          Effect = "Allow"
+          Resource = [
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try",
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try/*",
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt",
+            "${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt/*",
+          ]
+          Action = [
+            "s3:GetObject",
+            "s3:DeleteObject",
+            "s3:PutObject",
+            "s3:PutObjectAcl",
+          ]
+        },
+        {
+          Sid      = "ArtifactsBucketList"
+          Effect   = "Allow"
+          Resource = "${aws_s3_bucket.artifacts.arn}"
+          Action = [
+            "s3:ListBucket",
+          ],
+        },
+        {
+          Sid      = "HeadBuckets",
+          Effect   = "Allow",
+          Resource = "*"
+          Action = [
+            "s3:HeadBucket",
+            "s3:GetBucketLocation",
+          ],
+        },
+      ]
+    })
+  }
+}
diff --git a/terraform/rustc-ci/impl/caches.tf b/terraform/rustc-ci/impl/caches.tf
index 7415ad62e..45c658912 100644
--- a/terraform/rustc-ci/impl/caches.tf
+++ b/terraform/rustc-ci/impl/caches.tf
@@ -116,4 +116,5 @@ module "caches_cdn" {
 
   domain_name        = var.caches_domain
   origin_domain_name = aws_s3_bucket.caches.bucket_regional_domain_name
+  response_policy_id = var.response_policy_id
 }