diff --git a/.github/workflows/dev_deployment.yml b/.github/workflows/dev_deployment.yml
index 4026c2b..4906d74 100644
--- a/.github/workflows/dev_deployment.yml
+++ b/.github/workflows/dev_deployment.yml
@@ -53,6 +53,7 @@ jobs:
       HLS_MAXV_CPUS: ${{ secrets.HLS_MAXV_CPUS }}
       HLS_REPLACE_EXISTING: ${{ secrets.HLS_REPLACE_EXISTING }}
       HLS_SSH_KEYNAME: ${{ secrets.HLS_SSH_KEYNAME }}
+      HLS_DOWNLOADER_FUNCTION_ARN: ${{ secrets.HLS_DOWNLOADER_FUNCTION_ARN }}
 
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/production_deployment.yml b/.github/workflows/production_deployment.yml
index 6727dfa..189fad0 100644
--- a/.github/workflows/production_deployment.yml
+++ b/.github/workflows/production_deployment.yml
@@ -53,6 +53,7 @@ jobs:
       HLS_MAXV_CPUS: ${{ secrets.HLS_MAXV_CPUS }}
       HLS_REPLACE_EXISTING: ${{ secrets.HLS_REPLACE_EXISTING }}
       HLS_SSH_KEYNAME: ${{ secrets.HLS_SSH_KEYNAME }}
+      HLS_DOWNLOADER_FUNCTION_ARN: ${{ secrets.HLS_DOWNLOADER_FUNCTION_ARN }}
 
     steps:
       - uses: actions/checkout@v2
diff --git a/environment.sh.sample b/environment.sh.sample
index f11df83..99c48b4 100755
--- a/environment.sh.sample
+++ b/environment.sh.sample
@@ -68,6 +68,9 @@ HLS_REPLACE_EXISTING=true
 # ssh keyname for use with Batch instance debugging.
 HLS_SSH_KEYNAME=hls-mount
 
+# Sentinel serverless downloader function role arn.
+HLS_DOWNLOADER_FUNCTION_ARN=something
+
 # Use Cloudwatch metrics for containers
 # HLS_USE_CLOUD_WATCH=true
 
diff --git a/stack/stack.py b/stack/stack.py
index 89ce40b..2f1ce0c 100644
--- a/stack/stack.py
+++ b/stack/stack.py
@@ -78,6 +78,8 @@ def getenv(key, default):
     "HLS_LANDSAT_SNS_TOPIC", "arn:aws:sns:us-west-2:673253540267:public-c2-notify"
 )
 
+DOWNLOADER_FUNCTION_ARN = getenv("HLS_DOWNLOADER_FUNCTION_ARN", None)
+
 # Stack named resources
 SENTINEL_INPUT_BUCKET = f"{STACKNAME}-sentinel-input-files"
 LAADS_BUCKET = f"{STACKNAME}-laads-bucket"
@@ -658,6 +660,18 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
         self.laads_cron.function.add_to_role_policy(self.laads_bucket_read_policy)
         self.laads_available.function.add_to_role_policy(self.laads_bucket_read_policy)
 
+        if DOWNLOADER_FUNCTION_ARN:
+            self.sentinel_input_bucket.add_to_resource_policy(
+                aws_iam.PolicyStatement(
+                    resources=[
+                        self.sentinel_input_bucket.bucket_arn,
+                        f"{self.sentinel_input_bucket.bucket_arn}/*",
+                    ],
+                    actions=["s3:PutObject*", "s3:Abort*"],
+                    principals=[aws_iam.ArnPrincipal(DOWNLOADER_FUNCTION_ARN)]
+                )
+            )
+
         self.sentinel_input_bucket_policy = aws_iam.PolicyStatement(
             resources=[
                 self.sentinel_input_bucket.bucket_arn,