diff --git a/CHANGELOG.md b/CHANGELOG.md
index fb8e2598..41e27db0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - update MWAA to 2.9.2
 - update mwaa constraints
 - limit length of id in model name to prevent model name becoming too long
+- add permission for get secret value in `hf_import_models` template
 
 ## v1.2.0
 
diff --git a/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py b/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py
index 9da4e612..60c95523 100644
--- a/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py
+++ b/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py
@@ -224,6 +224,16 @@ def __init__(
                 resources=[sagemaker_seedcode_bucket.bucket_arn],
             )
         )
+        codebuild_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    "secretsmanager:GetSecretValue",
+                ],
+                resources=[
+                    f"arn:aws:secretsmanager:{Aws.REGION}:{Aws.ACCOUNT_ID}:secret:{hf_access_token_secret}-??????"
+                ],
+            )
+        )
 
         # Create the CodeBuild project
         sm_pipeline_build = codebuild.PipelineProject(