diff --git a/modules/kubernetes-addons/external-secrets/data.tf b/modules/kubernetes-addons/external-secrets/data.tf
index 4b381acf84..2d75e2ab4a 100644
--- a/modules/kubernetes-addons/external-secrets/data.tf
+++ b/modules/kubernetes-addons/external-secrets/data.tf
@@ -19,4 +19,10 @@ data "aws_iam_policy_document" "external_secrets" {
       ["arn:${var.addon_context.aws_partition_id}:secretsmanager:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:secret:*"]
     )
   }
+
+  statement {
+    # it seems `ssm:DescribeParameters` needs wildcard on resources.
+    actions   = ["ssm:DescribeParameters"]
+    resources = ["arn:${var.addon_context.aws_partition_id}:ssm:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:*"]
+  }
 }