diff --git a/services/service/main.tf b/services/service/main.tf
index c23f349..7d0fa2d 100644
--- a/services/service/main.tf
+++ b/services/service/main.tf
@@ -38,11 +38,27 @@ resource "nomad_job" "service" {
 
     mysql_bootstrap    = var.mysql_bootstrap
     postgres_bootstrap = var.postgres_bootstrap
+
+    workload_identity_env = var.workload_acl_policy != null
   })
 
   detach = var.detach
 }
 
+resource "nomad_acl_policy" "workload_special" {
+  count = var.workload_acl_policy != null ? 1 : 0
+
+  name        = var.workload_acl_policy.name
+  description = var.workload_acl_policy.description
+  rules_hcl   = var.workload_acl_policy.rules_hcl
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = var.name
+  }
+}
+
 resource "nomad_acl_policy" "secrets_mysql" {
   count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
 
diff --git a/services/service/service_template.nomad b/services/service/service_template.nomad
index b911591..46726f5 100644
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@@ -189,6 +189,11 @@ EOF
         %{~ endif ~}
       }
       %{~ endif ~}
+      %{~ if workload_identity_env }
+      identity {
+        env = true
+      }
+      %{~ endif ~}
     }
     %{~ if mysql_bootstrap != null }
     task "mysql-bootstrap" {
diff --git a/services/service/vars.tf b/services/service/vars.tf
index 09d0d4a..1c12113 100644
--- a/services/service/vars.tf
+++ b/services/service/vars.tf
@@ -262,3 +262,13 @@ variable "use_wesher" {
   description = "Indicates whether or not services should expose themselves on the wesher network"
   default     = true
 }
+
+variable "workload_acl_policy" {
+  type = object({
+    name        = string
+    description = string
+    rules_hcl   = string
+  })
+
+  default = null
+}