diff --git a/hack/cloudformation.yaml b/hack/cloudformation.yaml
index 80f8c85..7f0c585 100644
--- a/hack/cloudformation.yaml
+++ b/hack/cloudformation.yaml
@@ -290,6 +290,7 @@ Resources:
 
   DefaultInstanceRole:
     Type: AWS::IAM::Role
+    DependsOn: InstallIamUser
     Properties:
       RoleName: !Sub ${AWS::StackName}-default-role
       AssumeRolePolicyDocument:
@@ -324,9 +325,15 @@ Resources:
                       - - "arn:aws:s3:::"
                         - !If [GenerateS3BucketName, !Sub "ocp4-disconnected-${AWS::AccountId}-${AWS::Region}", !Ref S3TransferBucketName]
                         - "/*"
+              - Effect: Allow
+                Action:
+                  - iam:CreateAccessKey
+                Resource:
+                  - !GetAtt InstallIamUser.Arn
               - Effect: Allow
                 Action:
                   - cloudformation:DescribeStacks
+                  - ec2:DescribeSubnets
                 Resource: "*"
 
   DefaultInstanceProfile:
@@ -337,6 +344,19 @@ Resources:
       Roles:
         - !Ref DefaultInstanceRole
 
+  InstallIamUser:
+    Type: AWS::IAM::User
+    Properties:
+      UserName: !Sub ${AWS::StackName}-install-user
+      Policies:
+        - PolicyName: AdministratorAccess
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: "*"
+                Resource: "*"
+
   #############################################################################
   # NAT Instance
   #############################################################################
@@ -732,3 +752,7 @@ Outputs:
   HighSideInstancePrivateIp:
     Description: A reference to the private IP to the High Side instance
     Value: !GetAtt HighSideInstance.PrivateIp
+
+  InstallIamUser:
+    Description: A reference to the IAM User to use for installing OpenShift
+    Value: !Ref InstallIamUser