diff --git a/terraform/deploy_ami_rotation_codebuild_image.sh b/terraform/deploy_ami_rotation_codebuild_image.sh
index b99529c..38c37c8 100755
--- a/terraform/deploy_ami_rotation_codebuild_image.sh
+++ b/terraform/deploy_ami_rotation_codebuild_image.sh
@@ -10,7 +10,7 @@ cd ${CALCLOUD_BUILD_DIR}/iac/codebuild
 pwd
 
 #./copy-cert # copy the cert from CI node AMI and replace the cert in current dir
-cert-update
+source hst_admin_role_shim.sh cert-update
 
 set -o pipefail && docker build -f Dockerfile -t ${AMIROTATION_DOCKER_IMAGE_UNSCANNED} --build-arg aws_env="${aws_env}" --build-arg CALCLOUD_VER="${CALCLOUD_VER}" .
 amirotation_docker_build_status=$?
diff --git a/terraform/deploy_docker_builds.sh b/terraform/deploy_docker_builds.sh
index 8bd085a..a9e04aa 100755
--- a/terraform/deploy_docker_builds.sh
+++ b/terraform/deploy_docker_builds.sh
@@ -21,7 +21,7 @@ fi
 
 # naming is confusing here but "modeling" directory plus "training" image is correct
 cd ${CALCLOUD_BUILD_DIR}/modeling
-cert-update
+source hst_admin_role_shim.sh cert-update
 #cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem certs/tls-ca-bundle.pem # copy the cert from CI node AMI
 set -o pipefail && docker build -f Dockerfile -t ${TRAINING_DOCKER_IMAGE} .
 training_docker_build_status=$?
@@ -32,7 +32,7 @@ fi
 
 # jobPredict lambda env
 cd ${CALCLOUD_BUILD_DIR}/lambda/JobPredict
-cert-update
+source hst_admin_role_shim.sh cert-update
 #cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem certs/tls-ca-bundle.pem # copy the cert from CI node AMI
 set -o pipefail && docker build -f Dockerfile -t ${PREDICT_DOCKER_IMAGE} .
 model_docker_build_status=$?
@@ -43,7 +43,7 @@ fi
 
 # caldp image
 cd ${CALDP_BUILD_DIR}
-cert-update
+source hst_admin_role_shim.sh cert-update
 #cp /etc/ssl/certs/ca-bundle.crt tls-ca-bundle.pem # copy the cert from CI node AMI
 set -o pipefail && docker build -f Dockerfile -t ${CALDP_DOCKER_IMAGE} --build-arg CAL_BASE_IMAGE="${CAL_BASE_IMAGE}"  .
 caldp_docker_build_status=$?
diff --git a/terraform/deploy_vars.sh b/terraform/deploy_vars.sh
index 4296bee..8aa343f 100755
--- a/terraform/deploy_vars.sh
+++ b/terraform/deploy_vars.sh
@@ -63,4 +63,4 @@ CSYS_VER=${CAL_BASE_IMAGE##*:}
 CSYS_VER=`echo $CSYS_VER | cut -f1,2 -d'_'` #split by underscores, keep the first two
 export CSYS_VER=`echo $CSYS_VER | awk '{print tolower($0)}'`
 
-# get repo_url here for the central ecr repo
+export PATH=`pwd`/tools:${PATH}
diff --git a/tools/cert-list b/terraform/tools/cert-list
old mode 100644
new mode 100755
similarity index 99%
rename from tools/cert-list
rename to terraform/tools/cert-list
index f14a669..cfdeaa7
--- a/tools/cert-list
+++ b/terraform/tools/cert-list
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python3
 
 """This script is used to dump out cert subjects and issuers in order
 to follow the chain of certs from JH to a root authority.
diff --git a/tools/cert-update b/terraform/tools/cert-update
old mode 100644
new mode 100755
similarity index 98%
rename from tools/cert-update
rename to terraform/tools/cert-update
index 1387250..ba7c987
--- a/tools/cert-update
+++ b/terraform/tools/cert-update
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python3
 
 # This script downloads and cleans the SSL cert needed for Docker builds
 # to transit the STScI packet inspection firewall on AWS.   Originally
diff --git a/terraform/tools/hst_admin_role_shim.sh b/terraform/tools/hst_admin_role_shim.sh
new file mode 100644
index 0000000..2b41b82
--- /dev/null
+++ b/terraform/tools/hst_admin_role_shim.sh
@@ -0,0 +1,44 @@
+#/bin/bash
+# This script assumes the hst_reprocessing_admin_role, runs a given command using that role, and then switches back to original role
+
+# Set region
+export AWS_DEFAULT_REGION="us-east-1"
+
+# Role to assume
+ACCOUNT_ID=`aws sts get-caller-identity --output=text | awk '{ print $1 }'`
+HST_ADMIN_ARN="arn:aws:iam::${ACCOUNT_ID}:role/hst_reprocessing_admin_role"
+
+# Grab parameters
+COMMAND_TO_RUN=$*
+
+# Save current AWS credentials
+CURRENT_AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+CURRENT_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+CURRENT_AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN
+
+#Assume role, run command, and switch back
+printf "\n Assuming role..."
+if CREDENTIALS=`aws sts assume-role --role-arn $HST_ADMIN_ARN --role-session-name temp_admin_session --duration-seconds 3599` ; then
+
+        export AWS_ACCESS_KEY_ID=`echo ${CREDENTIALS} | python -c "import sys, json, os; temp=json.load(sys.stdin)['Credentials']['AccessKeyId'];print(temp)"`
+        export AWS_SECRET_ACCESS_KEY=`echo ${CREDENTIALS} | python -c "import sys, json, os; temp=json.load(sys.stdin)['Credentials']['SecretAccessKey'];print(temp)"`
+        export AWS_SESSION_TOKEN=`echo ${CREDENTIALS} | python -c "import sys, json, os; temp=json.load(sys.stdin)['Credentials']['SessionToken'];print(temp)"`
+
+        printf "\n Role assumed:"
+        aws sts get-caller-identity
+
+        printf "\n Running command\n"
+        $COMMAND_TO_RUN
+
+        printf "\n Switching back to original role"
+        export AWS_ACCESS_KEY_ID=$CURRENT_AWS_ACCESS_KEY_ID
+        export AWS_SECRET_ACCESS_KEY=$CURRENT_AWS_SECRET_ACCESS_KEY
+        export AWS_SESSION_TOKEN=$CURRENT_AWS_SESSION_TOKEN
+
+        printf "\n Role switched back:"
+        aws sts get-caller-identity
+
+else
+        printf "\n==========================\n\n - Error assuming role. Aborting execution\n\n"
+        exit 1
+fi
\ No newline at end of file