diff --git a/charts/maas/templates/deployment-rack.yaml b/charts/maas/templates/deployment-rack.yaml
index f888007..cf81a18 100644
--- a/charts/maas/templates/deployment-rack.yaml
+++ b/charts/maas/templates/deployment-rack.yaml
@@ -19,6 +19,8 @@ limitations under the License.
 {{- end -}}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.rack_controller }}
+{{- $serviceAccountName := "maas-rack" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_maas_rack := .Values.pod.mounts.maas_rack }}
 {{- $mounts_maas_rack_init := .Values.pod.mounts.maas_rack.init_container }}
 ---
@@ -36,6 +38,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "maas" "rack" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
diff --git a/charts/maas/templates/job-bootstrap-admin-user.yaml b/charts/maas/templates/job-bootstrap-admin-user.yaml
index 8111784..68a6f04 100644
--- a/charts/maas/templates/job-bootstrap-admin-user.yaml
+++ b/charts/maas/templates/job-bootstrap-admin-user.yaml
@@ -16,6 +16,8 @@ limitations under the License.
 
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.bootstrap_admin_user }}
+{{- $serviceAccountName := "maas-bootstrap-admin-user" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -27,6 +29,7 @@ spec:
       labels:
 {{ tuple $envAll "maas" "bootstrap-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
diff --git a/charts/maas/templates/job-db-init.yaml b/charts/maas/templates/job-db-init.yaml
index a38008e..bef41a1 100644
--- a/charts/maas/templates/job-db-init.yaml
+++ b/charts/maas/templates/job-db-init.yaml
@@ -16,6 +16,8 @@ limitations under the License.
 
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.db_init }}
+{{- $serviceAccountName := "maas-db-init" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -27,6 +29,7 @@ spec:
       labels:
 {{ tuple $envAll "maas" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
diff --git a/charts/maas/templates/job-db-sync.yaml b/charts/maas/templates/job-db-sync.yaml
index 13c66e8..30462c4 100644
--- a/charts/maas/templates/job-db-sync.yaml
+++ b/charts/maas/templates/job-db-sync.yaml
@@ -16,6 +16,8 @@ limitations under the License.
 
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.db_sync }}
+{{- $serviceAccountName := "maas-db-sync" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -27,6 +29,7 @@ spec:
       labels:
 {{ tuple $envAll "maas" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
diff --git a/charts/maas/templates/job-export-api-key.yaml b/charts/maas/templates/job-export-api-key.yaml
index 6318424..dae3d4e 100644
--- a/charts/maas/templates/job-export-api-key.yaml
+++ b/charts/maas/templates/job-export-api-key.yaml
@@ -17,6 +17,35 @@ limitations under the License.
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.export_api_key }}
 {{- $initMounts := .Values.pod.mounts.export_api_key.export_api_key }}
+{{- $serviceAccountName := "maas-export-api-key" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -28,6 +57,7 @@ spec:
       labels:
 {{ tuple $envAll "maas" "export-api-key" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
diff --git a/charts/maas/templates/job-import.yaml b/charts/maas/templates/job-import.yaml
index 4fb6ffb..d6f630b 100644
--- a/charts/maas/templates/job-import.yaml
+++ b/charts/maas/templates/job-import.yaml
@@ -16,6 +16,8 @@ limitations under the License.
 
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.import_resources }}
+{{- $serviceAccountName := "maas-import-resources" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -27,6 +29,7 @@ spec:
       labels:
 {{ tuple $envAll "maas" "import-resources" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index c1820ae..de6c8fb 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -15,6 +15,8 @@
 {{- if .Values.manifests.region_statefulset }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.region_controller }}
+{{- $serviceAccountName := "maas-region" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }}
 {{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }}
 ---
@@ -31,6 +33,7 @@ spec:
 {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
     spec:
+      serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector: