diff --git a/manifests/rbac/controller.yaml b/manifests/rbac/controller.yaml
index b059891f..9f5e18eb 100644
--- a/manifests/rbac/controller.yaml
+++ b/manifests/rbac/controller.yaml
@@ -69,6 +69,13 @@ rules:
   - update
   - patch
   - delete
+# required for object-level workload identity
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 # required for flow control
 - nonResourceURLs:
   - /livez/ping