diff --git a/templates/packer/ansible/roles/common/files/osbuild-worker.toml b/templates/packer/ansible/roles/common/files/osbuild-worker.toml
index 3116dfcaf..6942eed69 100644
--- a/templates/packer/ansible/roles/common/files/osbuild-worker.toml
+++ b/templates/packer/ansible/roles/common/files/osbuild-worker.toml
@@ -1,5 +1 @@
 base_path = "/api/image-builder-worker/v1"
-
-[osbuild_executor]
-type = "aws.ec2"
-iam_profile = "osbuild-executor"
diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_config.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_config.sh
new file mode 100644
index 000000000..e15ebcd13
--- /dev/null
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_config.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -euo pipefail
+
+source /tmp/cloud_init_vars
+
+echo "Writing osbuild_executor config to worker configuration."
+OSBUILD_EXECUTOR_IAM_PROFILE=${OSBUILD_EXECUTOR_IAM_PROFILE:-osbuild-executor}
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
+[osbuild_executor]
+type = "aws.ec2"
+iam_profile = "${OSBUILD_EXECUTOR_IAM_PROFILE}"
+EOF
diff --git a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_executor.sh b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_executor.sh
index c218588f9..e0eda2708 100755
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_executor.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_executor.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
 set -euo pipefail
 
-# Don't subscribe on fedora
 source /etc/os-release
+source /tmp/cloud_init_vars
+
+# Don't subscribe on fedora
 if [ "$ID" != fedora ]; then
   /usr/local/bin/aws secretsmanager get-secret-value \
     --secret-id executor-subscription-manager-command | jq -r ".SecretString" > /tmp/subscription_manager_command.json
@@ -14,6 +16,8 @@ echo "Writing vector config."
 REGION=$(curl -Ls http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
 HOSTNAME=$(hostname)
 CLOUDWATCH_ENDPOINT="https://logs.$REGION.amazonaws.com"
+OSBUILD_EXECUTOR_CLOUDWATCH_GROUP=${OSBUILD_EXECUTOR_CLOUDWATCH_GROUP:-osbuild-executor-log-group}
+
 sudo mkdir -p /etc/vector
 sudo tee /etc/vector/vector.toml > /dev/null << EOF
 [sources.journald]
@@ -25,7 +29,7 @@ type = "aws_cloudwatch_logs"
 inputs = [ "journald" ]
 region = "${REGION}"
 endpoint = "${CLOUDWATCH_ENDPOINT}"
-group_name = "osbuild-executor-log-group"
+group_name = "${OSBUILD_EXECUTOR_CLOUDWATCH_GROUP}"
 stream_name = "osbuild_executor_syslog_${HOSTNAME}"
 encoding.codec = "json"
 EOF
diff --git a/templates/packer/ansible/roles/common/files/worker-initialization.service b/templates/packer/ansible/roles/common/files/worker-initialization.service
index 528762f7c..1e7bad575 100644
--- a/templates/packer/ansible/roles/common/files/worker-initialization.service
+++ b/templates/packer/ansible/roles/common/files/worker-initialization.service
@@ -9,6 +9,7 @@ Type=oneshot
 ExecStart=touch /etc/worker-first-boot
 ExecStart=/usr/local/libexec/worker-initialization-scripts/set_hostname.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/vector.sh
+ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_config.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/offline_token.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/client_credentials.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/subscription_manager.sh