diff --git a/README.md b/README.md
index 4845175..14a7587 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,7 @@ An opinionated Terraform module that can be used to create and manage an EKS clu
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_allow_imdsv1"></a> [allow\_imdsv1](#input\_allow\_imdsv1) | Whether to allow IMDSv1 access (insecure). | `bool` | `false` | no |
-| <a name="input_ami_owners"></a> [ami\_owners](#input\_ami\_owners) | The list of acceptable owners of AMIs to be used for worker nodes. | `list(string)` | <pre>[<br>  "099720109477",<br>  "679593333241",<br>  "amazon",<br>  "self"<br>]</pre> | no |
+| <a name="input_ami_owners"></a> [ami\_owners](#input\_ami\_owners) | The list of acceptable owners of AMIs to be used for worker nodes. | `list(string)` | <pre>[<br/>  "099720109477",<br/>  "679593333241",<br/>  "amazon",<br/>  "self"<br/>]</pre> | no |
 | <a name="input_aws_ebs_csi_driver_oidc_fully_qualified_subjects"></a> [aws\_ebs\_csi\_driver\_oidc\_fully\_qualified\_subjects](#input\_aws\_ebs\_csi\_driver\_oidc\_fully\_qualified\_subjects) | The list of trusted resources which can assume the 'aws-ebs-csi-driver' role using OpenID Connect. | `list(string)` | `[]` | no |
 | <a name="input_aws_load_balancer_controller_oidc_fully_qualified_subjects"></a> [aws\_load\_balancer\_controller\_oidc\_fully\_qualified\_subjects](#input\_aws\_load\_balancer\_controller\_oidc\_fully\_qualified\_subjects) | The list of trusted resources which can assume the 'aws-load-balancer-controller' role using OpenID Connect. | `list(string)` | `[]` | no |
 | <a name="input_cert_manager_oidc_fully_qualified_subjects"></a> [cert\_manager\_oidc\_fully\_qualified\_subjects](#input\_cert\_manager\_oidc\_fully\_qualified\_subjects) | The list of trusted resources which can assume the 'cert-manager' role using OpenID Connect. | `list(string)` | `[]` | no |
@@ -107,7 +107,7 @@ An opinionated Terraform module that can be used to create and manage an EKS clu
 | <a name="input_phlare_bucket_name"></a> [phlare\_bucket\_name](#input\_phlare\_bucket\_name) | The name of the S3 bucket that will be used by Phlare | `string` | `""` | no |
 | <a name="input_phlare_oidc_fully_qualified_subjects"></a> [phlare\_oidc\_fully\_qualified\_subjects](#input\_phlare\_oidc\_fully\_qualified\_subjects) | The list of trusted resources which can assume the 'phlare' role using OpenID Connect. | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region in which to create the EKS cluster. | `string` | n/a | yes |
-| <a name="input_self_managed_node_groups"></a> [self\_managed\_node\_groups](#input\_self\_managed\_node\_groups) | A map describing the set of self-managed node groups to create. Other types of node groups besides self-managed are currently not supported. | <pre>map(object({<br>    ami_type                     = string<br>    ami_name_filter              = string<br>    extra_tags                   = map(string)<br>    instance_type                = string<br>    kubelet_extra_args           = string<br>    max_nodes                    = number<br>    min_nodes                    = number<br>    name                         = string<br>    pre_bootstrap_user_data      = string<br>    post_bootstrap_user_data     = string<br>    root_volume_id               = string<br>    root_volume_size             = number<br>    root_volume_type             = string<br>    subnet_ids                   = list(string)<br>    iam_role_additional_policies = map(string)<br>    iam_role_use_name_prefix     = optional(bool, true)<br>    key_name                     = optional(string)<br>  }))</pre> | n/a | yes |
+| <a name="input_self_managed_node_groups"></a> [self\_managed\_node\_groups](#input\_self\_managed\_node\_groups) | A map describing the set of self-managed node groups to create. Other types of node groups besides self-managed are currently not supported. | <pre>map(object({<br/>    ami_type                     = string<br/>    ami_name_filter              = string<br/>    extra_tags                   = map(string)<br/>    instance_type                = string<br/>    kubelet_extra_args           = string<br/>    max_nodes                    = number<br/>    min_nodes                    = number<br/>    name                         = string<br/>    pre_bootstrap_user_data      = string<br/>    post_bootstrap_user_data     = string<br/>    root_volume_id               = string<br/>    root_volume_size             = number<br/>    root_volume_type             = string<br/>    subnet_ids                   = list(string)<br/>    iam_role_additional_policies = map(string)<br/>    iam_role_use_name_prefix     = optional(bool, true)<br/>    key_name                     = optional(string)<br/>  }))</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | The set of tags to place on the EKS cluster. | `map(string)` | n/a | yes |
 | <a name="input_velero_bucket_name"></a> [velero\_bucket\_name](#input\_velero\_bucket\_name) | The name of the S3 bucket that will be used to upload Velero backups. | `string` | `""` | no |
 | <a name="input_velero_oidc_fully_qualified_subjects"></a> [velero\_oidc\_fully\_qualified\_subjects](#input\_velero\_oidc\_fully\_qualified\_subjects) | The list of trusted resources which can assume the 'velero' role using OpenID Connect. | `list(string)` | `[]` | no |
@@ -118,6 +118,7 @@ An opinionated Terraform module that can be used to create and manage an EKS clu
 
 | Name | Description |
 |------|-------------|
+| <a name="output_aws_ebs_csi_driver_policy_arn"></a> [aws\_ebs\_csi\_driver\_policy\_arn](#output\_aws\_ebs\_csi\_driver\_policy\_arn) | n/a |
 | <a name="output_aws_ebs_csi_driver_role_arn"></a> [aws\_ebs\_csi\_driver\_role\_arn](#output\_aws\_ebs\_csi\_driver\_role\_arn) | n/a |
 | <a name="output_aws_load_balancer_controller_role_arn"></a> [aws\_load\_balancer\_controller\_role\_arn](#output\_aws\_load\_balancer\_controller\_role\_arn) | n/a |
 | <a name="output_cert_manager_role_arn"></a> [cert\_manager\_role\_arn](#output\_cert\_manager\_role\_arn) | n/a |
diff --git a/outputs.tf b/outputs.tf
index 44357e8..faca8b0 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -16,6 +16,10 @@ output "aws_ebs_csi_driver_role_arn" {
   value = length(var.aws_ebs_csi_driver_oidc_fully_qualified_subjects) > 0 ? module.iam_assumable_role_aws_ebs_csi_driver[0].iam_role_arn : ""
 }
 
+output "aws_ebs_csi_driver_policy_arn" {
+  value = length(var.aws_ebs_csi_driver_oidc_fully_qualified_subjects) > 0 ? aws_iam_policy.aws_ebs_csi_driver[0].arn : ""
+}
+
 output "aws_load_balancer_controller_role_arn" {
   value = length(var.aws_load_balancer_controller_oidc_fully_qualified_subjects) > 0 ? module.iam_assumable_role_aws_load_balancer_controller[0].iam_role_arn : ""
 }