diff --git a/.github/workflows/upload-legacy-ami.yml b/.github/workflows/upload-legacy-ami.yml
index 3265705..70d19e5 100644
--- a/.github/workflows/upload-legacy-ami.yml
+++ b/.github/workflows/upload-legacy-ami.yml
@@ -72,7 +72,7 @@ jobs:
       - name: Smoke test
         id: smoke_test
         run: |
-          image_ids=${{ steps.upload_smoke_test_ami.outputs.image_ids }}}
+          image_ids=${{ steps.upload_smoke_test_ami.outputs.image_ids }}
           image_id=$(echo  "$amis" | jq -r '.["${{ env.AWS_REGION }}"]')
           nix run .#smoke-test -- --image-id "$image_id" --region "${{ env.AWS_REGION }}"
 
diff --git a/tf/iam_github_actions.tf b/tf/iam_github_actions.tf
index 1bc40bc..f3e364e 100644
--- a/tf/iam_github_actions.tf
+++ b/tf/iam_github_actions.tf
@@ -99,7 +99,7 @@ data "aws_iam_policy_document" "write_state" {
 
 resource "aws_iam_policy" "write_state" {
   name   = "write-state"
-  policy = data.aws_iam_policy_document.write_state.json 
+  policy = data.aws_iam_policy_document.write_state.json
 }
 
 resource "aws_iam_policy" "state" {
@@ -251,6 +251,15 @@ data "aws_iam_policy_document" "upload_ami" {
     ]
     resources = ["*"]
   }
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:RunInstances",
+      "ec2:DescribeInstances",
+      "ec2:TerminateInstances",
+    ]
+    resources = ["*"]
+  }
 }
 
 resource "aws_iam_policy" "upload_ami" {