diff --git a/spark8t/resources/templates/role_yaml.tmpl b/spark8t/resources/templates/role_yaml.tmpl
index 2212d74..fef33b0 100644
--- a/spark8t/resources/templates/role_yaml.tmpl
+++ b/spark8t/resources/templates/role_yaml.tmpl
@@ -20,3 +20,24 @@ rules:
   - list
   - watch
   - delete
+  - deletecollection
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - spark8t-sa-conf-{{username}}
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - configuration-hub-conf-{{username}}
+  verbs:
+  - get
\ No newline at end of file
diff --git a/spark8t/services.py b/spark8t/services.py
index 62f6e4a..63000f4 100644
--- a/spark8t/services.py
+++ b/spark8t/services.py
@@ -968,6 +968,26 @@ def create(
             self.exec(
                 f"create {resource_type} {resource_name}", namespace=None, output="name"
             )
+        elif resource_type == KubernetesResourceType.ROLE:
+            with open(self.defaults.template_role) as f:
+                res = codecs.load_all_yaml(
+                    f,
+                    context=filter_none(
+                        {
+                            "resourcename": resource_name,
+                            "namespace": namespace,
+                        }
+                        | extra_args
+                    ),
+                )
+                with umask_named_temporary_file(
+                    mode="w",
+                    prefix="role-",
+                    suffix=".yaml",
+                    dir=os.path.expanduser("~"),
+                ) as t:
+                    codecs.dump_all_yaml(res, t)
+                    self.exec(f"apply -f {t.name}", namespace=namespace, output="name")
         else:
             # NOTE: removing 'username' to avoid interference with KUBECONFIG
             # ERROR: more than one authentication method found for admin; found [token basicAuth], only one is allowed
@@ -1281,16 +1301,7 @@ def create(self, service_account: ServiceAccount) -> str:
             KubernetesResourceType.ROLE,
             rolename,
             namespace=service_account.namespace,
-            **{
-                "resource": [
-                    "pods",
-                    "configmaps",
-                    "services",
-                    "serviceaccounts",
-                    "secrets",
-                ],
-                "verb": ["create", "get", "list", "watch", "delete"],
-            },
+            **{"username": username},
         )
         self.kube_interface.create(
             KubernetesResourceType.ROLEBINDING,
diff --git a/tests/unittest/test_services.py b/tests/unittest/test_services.py
index 765aaa9..d09d46d 100644
--- a/tests/unittest/test_services.py
+++ b/tests/unittest/test_services.py
@@ -734,6 +734,7 @@ def side_effect(*args, **kwargs):
 
     with patch("builtins.open", mock_open(read_data=kubeconfig_yaml_str)):
         k = LightKube(kube_config_file=kubeconfig, defaults=defaults)
+        print(f"rn: {resource_name}, namespace: {namespace}")
         k.create(
             KubernetesResourceType.ROLEBINDING,
             resource_name,
@@ -1408,16 +1409,7 @@ def test_k8s_registry_create(mocker):
         "role",
         f"{name3}-role",
         namespace=namespace3,
-        **{
-            "resource": [
-                "pods",
-                "configmaps",
-                "services",
-                "serviceaccounts",
-                "secrets",
-            ],
-            "verb": ["create", "get", "list", "watch", "delete"],
-        },
+        **{"username": f"{name3}"},
     )
 
     mock_kube_interface.create.assert_any_call(