diff --git a/deploy/sthome-webhook/templates/rbac.yaml b/deploy/sthome-webhook/templates/rbac.yaml
index 4c9a49d..851480d 100644
--- a/deploy/sthome-webhook/templates/rbac.yaml
+++ b/deploy/sthome-webhook/templates/rbac.yaml
@@ -9,6 +9,46 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 ---
+# Grant the webhook permission to read the secrets containing the credentials
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "sthome-webhook.name" . }}
+    chart: {{ include "sthome-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+    - ''
+    resources:
+    - 'secrets'
+    verbs:
+    - 'get'
+---
+# Grant the webhook permission to read the secrets containing the credentials
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "sthome-webhook.name" . }}
+    chart: {{ include "sthome-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "sthome-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
 # Grant the webhook permission to read the ConfigMap containing the Kubernetes
 # apiserver's requestheader-ca-certificate.
 # This ConfigMap is automatically created by the Kubernetes apiserver.