diff --git a/terraform/platform/iam/main.tf b/terraform/platform/iam/main.tf
index 88f2337..2d31b34 100644
--- a/terraform/platform/iam/main.tf
+++ b/terraform/platform/iam/main.tf
@@ -182,7 +182,7 @@ resource "aws_iam_role" "ci_app" {
         Sid    = "AllowApplyViaGateLambda"
         Effect = "Allow"
         Principal = {
-          AWS = "arn:aws:iam::${var.aws_account_id}:role/${var.project}-apply-gate"
+          AWS = var.apply_gate_role_arn
         }
         Action = "sts:AssumeRole"
       },
diff --git a/terraform/platform/iam/variables.tf b/terraform/platform/iam/variables.tf
index 3593b43..a34ff76 100644
--- a/terraform/platform/iam/variables.tf
+++ b/terraform/platform/iam/variables.tf
@@ -30,3 +30,8 @@ variable "github_org" {
   type        = string
   default     = "javaBin"
 }
+
+variable "apply_gate_role_arn" {
+  description = "ARN of the apply-gate Lambda role (for ci_app trust policy)"
+  type        = string
+}
diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index 5d4c499..80f80e6 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -725,7 +725,8 @@ data "archive_file" "apply_gate" {
 }
 
 resource "aws_iam_role" "apply_gate" {
-  name = "${var.project}-apply-gate"
+  name                 = "${var.project}-apply-gate"
+  permissions_boundary = "arn:aws:iam::${var.aws_account_id}:policy/${var.project}-developer-boundary"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
diff --git a/terraform/platform/lambdas/outputs.tf b/terraform/platform/lambdas/outputs.tf
index 486f7ce..a69dddc 100644
--- a/terraform/platform/lambdas/outputs.tf
+++ b/terraform/platform/lambdas/outputs.tf
@@ -27,3 +27,8 @@ output "team_provisioner_function_arn" {
   description = "ARN of the team-provisioner Lambda function"
   value       = aws_lambda_function.team_provisioner.arn
 }
+
+output "apply_gate_role_arn" {
+  description = "ARN of the apply-gate Lambda IAM role"
+  value       = aws_iam_role.apply_gate.arn
+}
diff --git a/terraform/platform/main.tf b/terraform/platform/main.tf
index db0666e..a9e1718 100644
--- a/terraform/platform/main.tf
+++ b/terraform/platform/main.tf
@@ -36,6 +36,7 @@ module "iam" {
   registered_app_repos = var.registered_app_repos
   override_approvers   = var.override_approvers
   github_org           = var.github_org
+  apply_gate_role_arn  = module.lambdas.apply_gate_role_arn
 }
 
 module "compute" {