diff --git a/CHANGELOG.md b/CHANGELOG.md
index ffe532da..3cff72cb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+### [4.21.6](https://github.com/wandb/terraform-aws-wandb/compare/v4.21.5...v4.21.6) (2024-07-24)
+
+
+### Bug Fixes
+
+* Always let the node role have access to the `default_kms_key` ([#249](https://github.com/wandb/terraform-aws-wandb/issues/249)) ([d8fa06f](https://github.com/wandb/terraform-aws-wandb/commit/d8fa06f89da48443cb9fe0a45f491e5c13bb41cc))
+
+### [4.21.5](https://github.com/wandb/terraform-aws-wandb/compare/v4.21.4...v4.21.5) (2024-07-24)
+
+
+### Bug Fixes
+
+* Use bucket KMS key arn if provided for W&B managed bucket, always use that key even if empty for customer provided buckets ([#248](https://github.com/wandb/terraform-aws-wandb/issues/248)) ([48131b7](https://github.com/wandb/terraform-aws-wandb/commit/48131b79219071b0a1311bbb5bc468a62c51e266))
+
+### [4.21.4](https://github.com/wandb/terraform-aws-wandb/compare/v4.21.3...v4.21.4) (2024-07-23)
+
+
+### Bug Fixes
+
+* Yace Yace Yace ([#247](https://github.com/wandb/terraform-aws-wandb/issues/247)) ([cf419bd](https://github.com/wandb/terraform-aws-wandb/commit/cf419bdd8d1a3c3996738bbfe8b292579db59d2f))
+
+### [4.21.3](https://github.com/wandb/terraform-aws-wandb/compare/v4.21.2...v4.21.3) (2024-07-23)
+
+
+### Bug Fixes
+
+* YACE scoping ([#246](https://github.com/wandb/terraform-aws-wandb/issues/246)) ([47871c8](https://github.com/wandb/terraform-aws-wandb/commit/47871c846c13ed93ffa71b68c8177f0d2d99d7cf))
+
 ### [4.21.2](https://github.com/wandb/terraform-aws-wandb/compare/v4.21.1...v4.21.2) (2024-07-18)
 
 
diff --git a/main.tf b/main.tf
index e45ac467..64d74304 100644
--- a/main.tf
+++ b/main.tf
@@ -12,13 +12,12 @@ module "kms" {
 }
 
 locals {
-
   default_kms_key                           = module.kms.key.arn
   clickhouse_kms_key                        = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null
-  s3_kms_key_arn                            = length(var.bucket_kms_key_arn) > 0 ? var.bucket_kms_key_arn : local.default_kms_key
   database_kms_key_arn                      = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key
   database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key
   use_external_bucket                       = var.bucket_name != ""
+  s3_kms_key_arn                            = local.use_external_bucket || var.bucket_kms_key_arn != "" ? var.bucket_kms_key_arn : local.default_kms_key
   use_internal_queue                        = local.use_external_bucket || var.use_internal_queue
 }
 
@@ -141,7 +140,11 @@ module "app_eks" {
   map_roles        = var.kubernetes_map_roles
   map_users        = var.kubernetes_map_users
 
-  bucket_kms_key_arn   = local.s3_kms_key_arn
+  bucket_kms_key_arns = compact([
+    local.default_kms_key,
+    var.bucket_kms_key_arn != "" && var.bucket_kms_key_arn != null ? var.bucket_kms_key_arn : null
+  ])
+
   bucket_arn           = data.aws_s3_bucket.file_storage.arn
   bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage.0.arn
 
@@ -335,10 +338,14 @@ module "wandb" {
         install        = true
         regions        = [data.aws_region.current.name]
         serviceAccount = { annotations = { "eks.amazonaws.com/role-arn" = module.iam_role[0].role_arn } }
+        searchTags = {
+          "Namespace" = var.namespace
+        }
         } : {
         install        = false
         regions        = []
         serviceAccount = {}
+        searchTags     = {}
       }
 
       otel = {
diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf
index 4e7f27b4..83b6aa1e 100644
--- a/modules/app_eks/iam-policy-docs.tf
+++ b/modules/app_eks/iam-policy-docs.tf
@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "node_kms" {
       "kms:DescribeKey"
     ]
     effect    = "Allow"
-    resources = var.bucket_kms_key_arn == "" || var.bucket_kms_key_arn == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.node.name}"] : [var.bucket_kms_key_arn]
+    resources = var.bucket_kms_key_arns
   }
 }
 
diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf
index 64e6df6e..ff2d4ce6 100644
--- a/modules/app_eks/variables.tf
+++ b/modules/app_eks/variables.tf
@@ -3,9 +3,9 @@ variable "bucket_arn" {
   nullable = false
 }
 
-variable "bucket_kms_key_arn" {
+variable "bucket_kms_key_arns" {
   description = "The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted."
-  type        = string
+  type        = list(string)
 }
 
 variable "fqdn" {