diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 305ff4d83687a06e9e2c3a3300e03d4761e7afb1..b990a9fd57eb3ef010ab34e9f8f397583a6c76cc 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -66,3 +66,12 @@ rules:
   - create
   - get
   - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
diff --git a/controllers/stepclusterissuer_controller.go b/controllers/stepclusterissuer_controller.go
index 8fca0d8e20980b4f6e9f9955d532bb7a3525ee5e..f010cd216d63a6cde94aee8671804bdfe264c70f 100644
--- a/controllers/stepclusterissuer_controller.go
+++ b/controllers/stepclusterissuer_controller.go
@@ -43,6 +43,7 @@ type StepClusterIssuerReconciler struct {
 // +kubebuilder:rbac:groups=certmanager.step.sm,resources=stepclusterissuers/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
+// +kubebuilder:rbac:groups="coordination.k8s.io",resources=leases,verbs=create;get;list;update
 
 // Reconcile will read and validate the StepClusterIssuer resources, it will set the
 // status condition ready to true if everything is right.
@@ -68,6 +69,7 @@ func (r *StepClusterIssuerReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		Namespace: req.Namespace,
 		Name:      iss.Spec.Provisioner.PasswordRef.Name,
 	}
+	log.Info("secretNamespaceName", secretNamespaceName)
 	if err := r.Client.Get(ctx, secretNamespaceName, &secret); err != nil {
 		log.Error(err, "failed to retrieve StepClusterIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
 		if apierrors.IsNotFound(err) {