diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 8a4277a8e6f5d3a35b00cecae2384560b37cb229..67dd2d5a11e1bf0a8331cccc4c9ba436cd3b5213 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -6,6 +6,14 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - certmanager.k8s.io
   resources:
@@ -43,11 +51,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
diff --git a/controllers/stepissuer_controller.go b/controllers/stepissuer_controller.go
index 04abdd8b9da049a11838a4bcc1d06c728aac19da..4e7e778ca6ca7db6b7c01e5e3fa93d13f033bd8b 100644
--- a/controllers/stepissuer_controller.go
+++ b/controllers/stepissuer_controller.go
@@ -41,6 +41,7 @@ type StepIssuerReconciler struct {
 
 // +kubebuilder:rbac:groups=certmanager.step.sm,resources=stepissuers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=certmanager.step.sm,resources=stepissuers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 
 // Reconcile will read and validate the StepIssuer resources, it will set the
 // status condition ready to true if everything is right.