diff --git a/README.md b/README.md
index c4badae..d888fe1 100644
--- a/README.md
+++ b/README.md
@@ -124,6 +124,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_access_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_policy.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy.userpol](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_kms_alias.alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
@@ -131,6 +132,7 @@ No modules.
 | [aws_sqs_queue.terraform_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [random_id.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
@@ -162,6 +164,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_access_key_id"></a> [access\_key\_id](#output\_access\_key\_id) | Access key id for the credentials |
+| <a name="output_irsa_policy_arn"></a> [irsa\_policy\_arn](#output\_irsa\_policy\_arn) | n/a |
 | <a name="output_secret_access_key"></a> [secret\_access\_key](#output\_secret\_access\_key) | Secret for the new credentials |
 | <a name="output_sqs_arn"></a> [sqs\_arn](#output\_sqs\_arn) | The ARN of the SQS queue. |
 | <a name="output_sqs_id"></a> [sqs\_id](#output\_sqs\_id) | The URL for the created Amazon SQS queue. |
diff --git a/example/sqs.tf b/example/sqs.tf
index 64a63ab..51d354b 100644
--- a/example/sqs.tf
+++ b/example/sqs.tf
@@ -3,7 +3,7 @@ module "example_sqs" {
   # source = "github.com/ministryofjustice/cloud-platform-terraform-sqs?ref=4.9.1"
   source = "../"
 
-  sqs_name               = "example_sqs_name"
+  sqs_name = "example_sqs_name"
   # if true, the sqs_name above must end with ".fifo", it's an API quirk
   fifo_queue             = false
   team_name              = var.team_name
diff --git a/main.tf b/main.tf
index 71efc1b..2cfcab4 100644
--- a/main.tf
+++ b/main.tf
@@ -1,3 +1,17 @@
+locals {
+  default_tags = {
+    # Mandatory
+    business-unit = var.business-unit
+    application   = var.application
+    is-production = var.is-production
+    owner         = var.team_name
+    namespace     = var.namespace # for billing and identification purposes
+    # Optional
+    environment-name       = var.environment-name
+    infrastructure-support = var.infrastructure-support
+  }
+}
+
 data "aws_caller_identity" "current" {}
 
 resource "random_id" "id" {
@@ -113,17 +127,10 @@ resource "aws_sqs_queue" "terraform_queue" {
   redrive_policy                    = var.redrive_policy
   fifo_queue                        = var.fifo_queue
 
-  tags = {
-    business-unit          = var.business-unit
-    application            = var.application
-    is-production          = var.is-production
-    environment-name       = var.environment-name
-    owner                  = var.team_name
-    infrastructure-support = var.infrastructure-support
-    namespace              = var.namespace
-  }
+  tags = local.default_tags
 }
 
+# Legacy long-lived credentials
 locals {
   create_user = replace(var.existing_user_name, "cp-", "") == var.existing_user_name ? 1 : 0
 }
@@ -157,3 +164,20 @@ data "aws_iam_policy_document" "policy" {
   }
 }
 
+# Short-lived credentials (IRSA)
+data "aws_iam_policy_document" "irsa" {
+  version = "2012-10-17"
+  statement {
+    sid       = "AllowSQSActions"
+    effect    = "Allow"
+    actions   = ["sqs:*"]
+    resources = [aws_sqs_queue.terraform_queue.arn]
+  }
+}
+
+resource "aws_iam_policy" "irsa" {
+  name   = "cloud-platform-sqs-${random_id.id.hex}"
+  path   = "/cloud-platform/sqs/"
+  policy = data.aws_iam_policy_document.irsa.json
+  tags   = local.default_tags
+}
diff --git a/outputs.tf b/outputs.tf
index f95f6a3..daf75f0 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -30,3 +30,6 @@ output "sqs_name" {
   value       = aws_sqs_queue.terraform_queue.name
 }
 
+output "irsa_policy_arn" {
+  value = aws_iam_policy.irsa.arn
+}