diff --git a/locals.tf b/locals.tf
index 45c5d0d..d04c35b 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,6 +1,7 @@
 locals {
   aws_default_region = "us-west-1"
   environment        = "production"
+  root_sso_admin_arn = "arn:aws:iam::990466748045:role/aws-reserved/sso.amazonaws.com/us-west-1/AWSReservedSSO_AWSAdministratorAccess_16bdbe5eb442e7ef"
 
   gh_org_name = "infrahouse"
 
diff --git a/repo-aws-service-infrahouse-app.tf b/repo-aws-service-infrahouse-app.tf
index 17620fc..54a9f2d 100644
--- a/repo-aws-service-infrahouse-app.tf
+++ b/repo-aws-service-infrahouse-app.tf
@@ -27,6 +27,9 @@ module "aws_service_infrahouse_app_gha_sandbox" {
   repo_name                 = "aws-service-infrahouse-app"
   state_bucket              = module.aws_service_infrahouse_app_state.bucket_name
   terraform_locks_table_arn = module.aws_service_infrahouse_app_state.lock_table_arn
+  trusted_arns = [
+    local.root_sso_admin_arn
+  ]
 }
 
 # --- The service repo (pure GitHub, no AWS) ---