diff --git a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
index efb0325bf..1074887d2 100644
--- a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
+++ b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
@@ -30,6 +30,10 @@ variable "atracker_cos_bucket" {
   description = "Add atracker to cos s2s"
 }
 
+variable "clusters" {
+  description = "Add cluster to kms auth policies"
+}
+
 ##############################################################################
 
 ##############################################################################
@@ -55,6 +59,22 @@ module "kms_to_block_storage" {
   ]
 }
 
+# workaround for https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone/issues/645
+module "kube_to_kms" {
+  source = "../list_to_map"
+  list = [
+    for instance in(length(var.clusters) > 0 ? ["containers-kubernetes"] : []) :
+    {
+      name                        = instance
+      source_service_name         = "containers-kubernetes"
+      description                 = "Allow cluster to be encrypted by KMS instance"
+      roles                       = ["Reader"]
+      target_service_name         = local.target_key_management_service
+      target_resource_instance_id = var.key_management_guid
+    } if local.target_key_management_service != null
+  ]
+}
+
 ##############################################################################
 
 ##############################################################################
@@ -134,7 +154,8 @@ output "authorizations" {
     module.kms_to_block_storage.value,
     module.cos_to_key_management.value,
     module.flow_logs_to_cos.value,
-    module.atracker_to_cos.value
+    module.atracker_to_cos.value,
+    module.kube_to_kms.value
   )
 }
 
diff --git a/dynamic_values/service_authorizations.tf b/dynamic_values/service_authorizations.tf
index d94545534..899e97c77 100644
--- a/dynamic_values/service_authorizations.tf
+++ b/dynamic_values/service_authorizations.tf
@@ -11,6 +11,7 @@ module "service_authorizations" {
   skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = var.skip_all_s2s_auth_policies
   atracker_cos_bucket                    = var.atracker_cos_bucket
+  clusters                               = var.clusters
 }
 
 ##############################################################################