diff --git a/Makefile b/Makefile
index e9a816687..54d2441eb 100644
--- a/Makefile
+++ b/Makefile
@@ -517,6 +517,14 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE)
 	@sed -i '1s/^/{{ if .Values.enableSecretRotation }}\n/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation.yaml
 	@sed -i '1s/^/{{ if .Values.enableSecretRotation }}\n/gm; s/namespace: .*/namespace: {{ .Release.Namespace }}/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml
 
+	# Generate token requests specific RBAC
+	$(CONTROLLER_GEN) rbac:roleName=secretprovidertokenrequest-role paths="./controllers/tokenrequest" output:dir=config/rbac-tokenrequest
+	$(KUSTOMIZE) build config/rbac-tokenrequest -o manifest_staging/deploy/rbac-secretprovidertokenrequest.yaml
+	cp config/rbac-tokenrequest/role.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
+	cp config/rbac-tokenrequest/role_binding.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
+	@sed -i '1s/^/{{ if .Values.tokenRequests }}\n/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
+	@sed -i '1s/^/{{ if .Values.tokenRequests }}\n/gm; s/namespace: .*/namespace: {{ .Release.Namespace }}/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
+
 .PHONY: generate-protobuf
 generate-protobuf: $(PROTOC) $(PROTOC_GEN_GO) # generates protobuf
 	$(PROTOC) -I . provider/v1alpha1/service.proto --go_out=plugins=grpc:. --plugin=$(PROTOC_GEN_GO)
diff --git a/config/rbac-tokenrequest/kustomization.yaml b/config/rbac-tokenrequest/kustomization.yaml
new file mode 100644
index 000000000..b228b96da
--- /dev/null
+++ b/config/rbac-tokenrequest/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+- role.yaml
+- role_binding.yaml
diff --git a/config/rbac-tokenrequest/role.yaml b/config/rbac-tokenrequest/role.yaml
new file mode 100644
index 000000000..166ad1432
--- /dev/null
+++ b/config/rbac-tokenrequest/role.yaml
@@ -0,0 +1,24 @@
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: secretprovidertokenrequest-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - storage.k8s.io
+  resourceNames:
+  - secrets-store.csi.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/rbac-tokenrequest/role_binding.yaml b/config/rbac-tokenrequest/role_binding.yaml
new file mode 100644
index 000000000..10218e2f6
--- /dev/null
+++ b/config/rbac-tokenrequest/role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secretprovidertokenrequest-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secretprovidertokenrequest-role
+subjects:
+- kind: ServiceAccount
+  name: secrets-store-csi-driver
+  namespace: kube-system
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 4ce202d45..6c5a8807b 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -21,12 +21,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/token
-  verbs:
-  - create
 - apiGroups:
   - secrets-store.csi.x-k8s.io
   resources:
@@ -55,13 +49,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - storage.k8s.io
-  resourceNames:
-  - secrets-store.csi.k8s.io
-  resources:
-  - csidrivers
-  verbs:
-  - get
-  - list
-  - watch
diff --git a/controllers/secretproviderclasspodstatus_controller.go b/controllers/secretproviderclasspodstatus_controller.go
index cc972cae4..c327459fa 100644
--- a/controllers/secretproviderclasspodstatus_controller.go
+++ b/controllers/secretproviderclasspodstatus_controller.go
@@ -213,8 +213,6 @@ func (r *SecretProviderClassPodStatusReconciler) ListOptionsLabelSelector() clie
 // +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasses,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
-// +kubebuilder:rbac:groups="storage.k8s.io",resources=csidrivers,verbs=get;list;watch,resourceNames=secrets-store.csi.k8s.io
-// +kubebuilder:rbac:groups="",resources="serviceaccounts/token",verbs=create
 
 func (r *SecretProviderClassPodStatusReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	r.mutex.Lock()
diff --git a/controllers/tokenrequest/tokenrequest.go b/controllers/tokenrequest/tokenrequest.go
new file mode 100644
index 000000000..11803aa7a
--- /dev/null
+++ b/controllers/tokenrequest/tokenrequest.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package tokenrequest holds the RBAC permission annotations for the controller
+// to create a serviceaccount token and pass it as part of Mount Request.
+// ref: https://kubernetes-csi.github.io/docs/token-requests.html
+package tokenrequest
+
+// +kubebuilder:rbac:groups="storage.k8s.io",resources=csidrivers,verbs=get;list;watch,resourceNames=secrets-store.csi.k8s.io
+// +kubebuilder:rbac:groups="",resources="serviceaccounts/token",verbs=create
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
new file mode 100644
index 000000000..abec82a2c
--- /dev/null
+++ b/manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
@@ -0,0 +1,26 @@
+{{ if .Values.tokenRequests }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: secretprovidertokenrequest-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - storage.k8s.io
+  resourceNames:
+  - secrets-store.csi.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - get
+  - list
+  - watch
+{{ end }}
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
new file mode 100644
index 000000000..e750c8c14
--- /dev/null
+++ b/manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
@@ -0,0 +1,14 @@
+{{ if .Values.tokenRequests }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secretprovidertokenrequest-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secretprovidertokenrequest-role
+subjects:
+- kind: ServiceAccount
+  name: secrets-store-csi-driver
+  namespace: {{ .Release.Namespace }}
+{{ end }}
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml
index 98b8255dd..637ff19ec 100644
--- a/manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml
+++ b/manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml
@@ -22,12 +22,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/token
-  verbs:
-  - create
 - apiGroups:
   - secrets-store.csi.x-k8s.io
   resources:
@@ -56,16 +50,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - storage.k8s.io
-  resourceNames:
-  - secrets-store.csi.k8s.io
-  resources:
-  - csidrivers
-  verbs:
-  - get
-  - list
-  - watch
 {{- if .Values.rbac.pspEnabled }}
 - apiGroups:
   - policy
diff --git a/manifest_staging/deploy/rbac-secretproviderclass.yaml b/manifest_staging/deploy/rbac-secretproviderclass.yaml
index fdb08322f..abc704c19 100644
--- a/manifest_staging/deploy/rbac-secretproviderclass.yaml
+++ b/manifest_staging/deploy/rbac-secretproviderclass.yaml
@@ -25,12 +25,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/token
-  verbs:
-  - create
 - apiGroups:
   - secrets-store.csi.x-k8s.io
   resources:
@@ -59,16 +53,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - storage.k8s.io
-  resourceNames:
-  - secrets-store.csi.k8s.io
-  resources:
-  - csidrivers
-  verbs:
-  - get
-  - list
-  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/manifest_staging/deploy/rbac-secretprovidertokenrequest.yaml b/manifest_staging/deploy/rbac-secretprovidertokenrequest.yaml
new file mode 100644
index 000000000..00ce76fbc
--- /dev/null
+++ b/manifest_staging/deploy/rbac-secretprovidertokenrequest.yaml
@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: secretprovidertokenrequest-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - storage.k8s.io
+  resourceNames:
+  - secrets-store.csi.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secretprovidertokenrequest-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secretprovidertokenrequest-role
+subjects:
+- kind: ServiceAccount
+  name: secrets-store-csi-driver
+  namespace: kube-system
diff --git a/test/bats/e2e-provider.bats b/test/bats/e2e-provider.bats
index e9cfa8ddb..bde3fedce 100644
--- a/test/bats/e2e-provider.bats
+++ b/test/bats/e2e-provider.bats
@@ -80,6 +80,9 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
   run kubectl get clusterrole/secretprovidersyncing-role
   assert_success
 
+  run kubectl get clusterrole/secretprovidertokenrequest-role
+  assert_success
+
   run kubectl get clusterrolebinding/secretproviderclasses-rolebinding
   assert_success
 
@@ -88,6 +91,9 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
 
   run kubectl get clusterrolebinding/secretprovidersyncing-rolebinding
   assert_success
+
+  run kubectl get clusterrolebinding/secretprovidertokenrequest-rolebinding
+  assert_success
 }
 
 @test "[v1alpha1] deploy e2e-provider secretproviderclass crd" {