diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/locals.tf b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/locals.tf
index c81673d5..913d3bf2 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/locals.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/locals.tf
@@ -7,6 +7,9 @@ locals {
   config_terraform_user   = coalesce(var.terraform_user_name, local.bootstrap.iam.terraform_user_name)
   environment             = coalesce(try(local.bootstrap.environment, null), try(local.bootstrap.iam.environment, null), "bootstrap")
   extra_tags              = try(local.bootstrap.tags, {})
+
+  role_name          = coalesce(var.existing_role_name, local.config_role_name)
+  terraform_user_name = coalesce(var.existing_user_name, local.config_terraform_user)
 }
 
 locals {
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf
index d8870a18..760bf285 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf
@@ -2,7 +2,9 @@
 # IAM Role: Terraform Deploy Role
 # ----------------------------------------
 resource "aws_iam_role" "terraform_deploy_role" {
-  name = local.config_role_name
+  count = var.create_role ? 1 : 0
+
+  name = local.role_name
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -28,7 +30,9 @@ resource "aws_iam_role" "terraform_deploy_role" {
 # 可选：当前阶段保持你原来的 Admin full access
 # （未来你可以把它缩到最小权限）
 resource "aws_iam_role_policy_attachment" "attach_admin" {
-  role       = aws_iam_role.terraform_deploy_role.name
+  count = var.create_role ? 1 : 0
+
+  role       = aws_iam_role.terraform_deploy_role[0].name
   policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
 }
 
@@ -36,15 +40,19 @@ resource "aws_iam_role_policy_attachment" "attach_admin" {
 # IAM User for Terraform (AK/SK)
 # ----------------------------------------
 resource "aws_iam_user" "terraform_user" {
-  name = local.config_terraform_user
+  count = var.create_user ? 1 : 0
+
+  name = local.terraform_user_name
 }
 
 #
 # IAM User Policy: 最小权限
 # ----------------------------------------
 resource "aws_iam_user_policy" "terraform_user_policy" {
-  name = "${local.config_terraform_user}-iac-policy"
-  user = aws_iam_user.terraform_user.name
+  count = var.create_user ? 1 : 0
+
+  name = "${local.terraform_user_name}-iac-policy"
+  user = aws_iam_user.terraform_user[0].name
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -55,7 +63,7 @@ resource "aws_iam_user_policy" "terraform_user_policy" {
         Action = [
           "sts:AssumeRole"
         ],
-        Resource = aws_iam_role.terraform_deploy_role.arn
+        Resource = var.create_role ? aws_iam_role.terraform_deploy_role[0].arn : var.existing_role_arn
       },
 
       # S3: Terraform state bucket
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf
index 519a216e..91a61c42 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf
@@ -1,9 +1,9 @@
 output "iam_role_arn" {
-  value       = aws_iam_role.terraform_deploy_role.arn
+  value       = var.create_role ? aws_iam_role.terraform_deploy_role[0].arn : var.existing_role_arn
   description = "The ARN of the role assumed by Terraform"
 }
 
 output "terraform_user_name" {
-  value       = aws_iam_user.terraform_user.name
+  value       = var.create_user ? aws_iam_user.terraform_user[0].name : local.terraform_user_name
   description = "Terraform IAM User"
 }
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/variables.tf b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/variables.tf
index 92a16ee5..1f2a0b14 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/variables.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/variables.tf
@@ -10,14 +10,54 @@ variable "account_name" {
   default     = null
 }
 
+variable "create_role" {
+  description = "Whether to create the Terraform deploy IAM role"
+  type        = bool
+  default     = true
+}
+
+variable "existing_role_name" {
+  description = "Existing IAM role name to reference when create_role is false"
+  type        = string
+  default     = null
+}
+
+variable "existing_role_arn" {
+  description = "Existing IAM role ARN to reference when create_role is false"
+  type        = string
+  default     = null
+}
+
 variable "role_name" {
   type        = string
   description = "IAM role name to create (e.g., TerraformDeployRole-Dev)"
   default     = null
 }
 
+variable "create_user" {
+  description = "Whether to create the IAM user for Terraform"
+  type        = bool
+  default     = true
+}
+
+variable "existing_user_name" {
+  description = "Existing IAM username to reference when create_user is false"
+  type        = string
+  default     = null
+}
+
 variable "terraform_user_name" {
   type        = string
   description = "IAM username for Terraform IAC runner"
   default     = null
 }
+
+validation "require_existing_role_arn_when_not_creating" {
+  condition     = var.create_role || (var.existing_role_arn != null && var.existing_role_name != null)
+  error_message = "existing_role_name and existing_role_arn must be provided when create_role is false."
+}
+
+validation "require_existing_user_name_when_not_creating" {
+  condition     = var.create_user || var.existing_user_name != null
+  error_message = "existing_user_name must be provided when create_user is false."
+}