diff --git a/cdk_eoapi/pgStacInfra.py b/cdk_eoapi/pgStacInfra.py
index 0854e53..0dd3920 100644
--- a/cdk_eoapi/pgStacInfra.py
+++ b/cdk_eoapi/pgStacInfra.py
@@ -99,6 +99,8 @@ def __init__(
         )
 
         if data_access_role_arn:
+            # importing provided role from arn. 
+            # the stac ingestor will try to assume it when called, so it must be listed in the data access role trust policy.
             data_access_role = aws_iam.Role.from_role_arn(
                 self,
                 "data-access-role",
@@ -106,9 +108,6 @@ def __init__(
             )
         else:
             data_access_role = self._create_data_access_role()
-            data_access_role = self._grant_assume_role_with_principal_pattern(
-                data_access_role, f"*{self.stack_name}*ingestor*"
-            )  # beware, there is a limit in the number of characters a role can have (64) and AWS automatically truncates the role ARN if it's too long.
 
         stac_ingestor_env = {"REQUESTER_PAYS": "True"}
 
@@ -129,25 +128,38 @@ def __init__(
             ),
             api_env=stac_ingestor_env,
         )
+        
+        # we can only do that if the role is created here. If injecting a role, that role's trust relationship must be already set up, or set up after this deployment.
+        if not data_access_role_arn:
+            data_access_role = self._grant_assume_role_with_principal_pattern(data_access_role, stac_ingestor.handler_role.role_name)
 
     def _create_data_access_role(self) -> aws_iam.Role:
+        
         """
-        Creates basic data access role
+        Creates an IAM role with full S3 read access.
         """
 
-        return aws_iam.Role(
+        data_access_role = aws_iam.Role(
             self,
             "data-access-role",
             assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
         )
+        
+        data_access_role.add_to_policy(aws_iam.PolicyStatement(
+            actions=[
+                "s3:Get*",
+            ],
+            resources=["*"],
+            effect=aws_iam.Effect.ALLOW,
+        ))
+        return data_access_role
 
     def _grant_assume_role_with_principal_pattern(
-        self, role_to_assume: aws_iam.Role, principal_pattern: str
+        self, role_to_assume: aws_iam.Role, principal_pattern: str, account_id: str = boto3.client("sts").get_caller_identity().get("Account")
     ) -> aws_iam.Role:
         """
-        Grants assume role permissions to the role with the given pattern in the current account
+        Grants assume role permissions to the role of the given account with the given name pattern. Default account is the current account. 
         """
-        account_id = boto3.client("sts").get_caller_identity().get("Account")
 
         role_to_assume.assume_role_policy.add_statements(
             aws_iam.PolicyStatement(