diff --git a/cdk/bin/cdk.ts b/cdk/bin/cdk.ts
new file mode 100644
index 00000000..08214db5
--- /dev/null
+++ b/cdk/bin/cdk.ts
@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { S3ECPythonGithub } from '../lib/cdk-stack';
+
+const app = new cdk.App();
+new S3ECPythonGithub(app, 'S3ECPythonGithub');
diff --git a/cdk/lib/cdk-stack.ts b/cdk/lib/cdk-stack.ts
index cdb7c489..97b30088 100644
--- a/cdk/lib/cdk-stack.ts
+++ b/cdk/lib/cdk-stack.ts
@@ -102,20 +102,27 @@ export class S3ECPythonGithub extends cdk.Stack {
                 "s3:PutObject",
                 "s3:GetObject",
                 "s3:DeleteObject",
+                "s3:DeleteObjectVersion" // For S3EC-NET repo
               ],
               resources: [
                 S3ECGithubTestS3Bucket.bucketArn + "/*", // object-level permissions need this extra path
                 S3ECTestServerGithubBucket.bucketArn + "/*", // Add permissions for the new test-server bucket
+                "arn:aws:s3:::aws-net-sdk-*/*" // permission for object inside S3EC .net bucket. For S3EC-NET repo
               ],
             }),
             new PolicyStatement({
               effect: Effect.ALLOW,
               actions: [
+                "s3:CreateBucket", // For S3EC-NET repo
+                "s3:DeleteBucket", // For S3EC-NET repo
                 "s3:ListBucket",
+                "s3:ListBucketVersions", // For S3EC-NET repo
+                "s3:GetBucketAcl" // For S3EC-NET repo
               ],
               resources: [
                 S3ECGithubTestS3Bucket.bucketArn,
                 S3ECTestServerGithubBucket.bucketArn, // Add permissions for the new test-server bucket
+                "arn:aws:s3:::aws-net-sdk-*", // permission for S3EC .net bucket. For S3EC-NET repo
               ],
             }),
           ]
@@ -155,7 +162,10 @@ export class S3ECPythonGithub extends cdk.Stack {
           "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
         },
         "StringLike": {
-          "token.actions.githubusercontent.com:sub": "repo:aws/amazon-s3-encryption-client-python:*"
+          "token.actions.githubusercontent.com:sub": [
+            "repo:aws/amazon-s3-encryption-client-python:*",
+            "repo:aws/private-amazon-s3-encryption-client-dotnet-staging:*" // For S3EC-NET repo
+          ]
         }
       },
       "sts:AssumeRoleWithWebIdentity"
diff --git a/test-server/cpp-v2-server/Makefile b/test-server/cpp-v2-server/Makefile
index e9156d64..ad5c951e 100644
--- a/test-server/cpp-v2-server/Makefile
+++ b/test-server/cpp-v2-server/Makefile
@@ -8,7 +8,7 @@ PORT := 8085
 build/s3ec-server: 
 	brew install libmicrohttpd nlohmann-json ossp-uuid
 	git clone --recurse-submodules https://github.com/aws/aws-sdk-cpp.git
-	cd  aws-sdk-cpp && git checkout --track remotes/origin/ajewell/ec-for-get-object
+	cd  aws-sdk-cpp
 	mkdir -p build && cd build && cmake ..
 
 start-server: | build/s3ec-server