diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts
index 985177e86d8eb..d4f349431b544 100644
--- a/packages/@aws-cdk/aws-codebuild/lib/project.ts
+++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts
@@ -940,6 +940,9 @@ export class Project extends ProjectBase {
         this.buildImage.repository.addToResourcePolicy(statement);
       }
     }
+    if (imagePullPrincipalType === ImagePullPrincipalType.SERVICE_ROLE) {
+      this.buildImage.secretsManagerCredentials?.grantRead(this);
+    }
 
     return {
       type: this.buildImage.type,
diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
index 9ece692d80671..efaee26898636 100644
--- a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
+++ b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
@@ -22,6 +22,29 @@
       "Properties": {
         "PolicyDocument": {
           "Statement": [
+            {
+              "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret"
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:secretsmanager:",
+                    {
+                      "Ref": "AWS::Region"
+                    },
+                    ":",
+                    {
+                      "Ref": "AWS::AccountId"
+                    },
+                    ":secret:my-secrets-123456"
+                  ]
+                ]
+              }
+            },
             {
               "Action": [
                 "logs:CreateLogGroup",
@@ -135,4 +158,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}