diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index a1478d2..fb5a2b8 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -9,8 +9,6 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-- secrets_viewer_role.yaml
-- secrets_viewer_role_binding.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 6e023e2..45d0b8f 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -5,6 +5,14 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - bmc.tinkerbell.org
   resources:
diff --git a/controllers/machine_controller.go b/controllers/machine_controller.go
index 1f98fb3..3e967aa 100644
--- a/controllers/machine_controller.go
+++ b/controllers/machine_controller.go
@@ -64,6 +64,7 @@ type machineFieldReconciler func(context.Context, *bmcv1alpha1.Machine, BMCClien
 //+kubebuilder:rbac:groups=bmc.tinkerbell.org,resources=machines,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=bmc.tinkerbell.org,resources=machines/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=bmc.tinkerbell.org,resources=machines/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch
 
 // Reconcile ensures the state of a Machine.
 // Gets the Machine object and uses the SecretReference to initialize a BMC Client.