diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index a2461630..45abac97 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -281,6 +281,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 
 	// Template options
 	data := x509util.NewTemplateData()
+	data.SetToken(payload)
 	data.SetCommonName(payload.Claims.Subject)
 
 	// Enforce known CN and default DNS and IP if configured.