diff --git a/iam-roles/PRX-GHA-AccessRole/template.yml b/iam-roles/PRX-GHA-AccessRole/template.yml
index a698f9f3..6e47550b 100644
--- a/iam-roles/PRX-GHA-AccessRole/template.yml
+++ b/iam-roles/PRX-GHA-AccessRole/template.yml
@@ -43,6 +43,7 @@ Resources:
         - !Ref EcrPublicPushPolicy
         - !Ref PrivateEcrPushPolicy
         - !Ref SsmParameterPutPolicy
+        - !Ref SsmParameterGetDockerHubPolicy
         - !Ref AssumeRolePolicy
       RoleName: PRX-GHA-AccessRole
       Tags:
@@ -199,6 +200,21 @@ Resources:
               - ssm:PutParameter
             Resource: "arn:aws:ssm:*:*:parameter/*/pkg/docker-image-tag"
 
+  # GH actions need Docker Hub credentials to avoid rate limits
+  SsmParameterGetDockerHubPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Allows reading Docker Hub credentials from SSM
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - ssm:GetParameter
+            Resource:
+              - "arn:aws:ssm:*:*:parameter/prx/DOCKERHUB_USERNAME"
+              - "arn:aws:ssm:*:*:parameter/prx/DOCKERHUB_PASSWORD"
+
   # GH actions may need more permissions than we are willing to grant to this
   # role, so we allow this role to assume some other roles. The assumed role
   # **MUST** be tagged with PRX-GHA-AccessRole=AssumeRole. Roles that may