diff --git a/services/diun.tf b/services/diun.tf
index 250c509..ca7433b 100644
--- a/services/diun.tf
+++ b/services/diun.tf
@@ -35,4 +35,18 @@ module "diun" {
       mount       = false
     },
   ]
+
+  workload_acl_policy = {
+    name        = "diun-read"
+    description = "Give the diun task read access to jobs"
+
+    rules_hcl = <<EOH
+namespace "default" {
+  capabilities = [
+    "list-jobs",
+    "read-job",
+  ]
+}
+EOH
+  }
 }