diff --git a/modules/scanning-delegate-role/main.tf b/modules/scanning-delegate-role/main.tf
index 8d33faa4..1090d7bd 100644
--- a/modules/scanning-delegate-role/main.tf
+++ b/modules/scanning-delegate-role/main.tf
@@ -234,7 +234,13 @@ data "aws_iam_policy_document" "assume_role_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = var.scanner_roles
+      identifiers = "*"
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+      values   = var.scanner_roles
     }
   }
 }