diff --git a/main.tf b/main.tf
index 3c79e360c..25c3e17ec 100644
--- a/main.tf
+++ b/main.tf
@@ -350,8 +350,11 @@ resource "aws_iam_policy" "instance_docker_machine_policy" {
   name        = "${local.name_iam_objects}-docker-machine"
   path        = "/"
   description = "Policy for docker machine."
-  policy      = templatefile("${path.module}/policies/instance-docker-machine-policy.json", {})
-  tags        = local.tags
+  policy = templatefile("${path.module}/policies/instance-docker-machine-policy.json",
+    {
+      docker_machine_role_arn = aws_iam_role.docker_machine.arn
+  })
+  tags = local.tags
 }
 
 resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" {
diff --git a/policies/instance-docker-machine-policy.json b/policies/instance-docker-machine-policy.json
index 35e90ee61..1ca44687e 100644
--- a/policies/instance-docker-machine-policy.json
+++ b/policies/instance-docker-machine-policy.json
@@ -17,11 +17,17 @@
           "ec2:RequestSpotInstances",
           "ec2:CancelSpotInstanceRequests",
           "ec2:DescribeSubnets",
-          "ec2:AssociateIamInstanceProfile",
-          "iam:PassRole"
+          "ec2:AssociateIamInstanceProfile"
         ],
         "Effect": "Allow",
         "Resource": "*"
+      },
+      {
+        "Action": [
+          "iam:PassRole"
+        ],
+        "Effect": "Allow",
+        "Resource": "${docker_machine_role_arn}"
       }
     ]
   }