diff --git a/manifests/0000_26_cloud-controller-manager-operator_02_rbac_operator.yaml b/manifests/0000_26_cloud-controller-manager-operator_02_rbac_operator.yaml
index d84db245c..f423fd90c 100644
--- a/manifests/0000_26_cloud-controller-manager-operator_02_rbac_operator.yaml
+++ b/manifests/0000_26_cloud-controller-manager-operator_02_rbac_operator.yaml
@@ -73,7 +73,7 @@ rules:
   - update
   - patch
 
-# vSphere has a separate node manager that uses the serivce account kube-system/vsphere-cloud-controller-manager.
+# vSphere has a separate node manager that uses the service account kube-system/vsphere-cloud-controller-manager.
 # The operator must have these permissions to then grant them to the vSphere node manager.
 - apiGroups:
   - ""
@@ -103,8 +103,29 @@ rules:
   verbs:
   - create
   - patch
-# nutanix has a separate node manager that uses the serivce account kube-system/nutanix-cloud-controller-manager.
-# The operator must have these permissions to then grant them to the nutanix node manager. (note it also uses some of the ones requred by vsphere)
+
+# alibaba has a separate node manager that uses the service account kube-system/alibaba-cloud-controller-manager.
+# The operator must have these permissions to then grant them to the alibaba node manager. (note it also uses some of the ones requred by vsphere)
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+  - update  
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - services/status
+  verbs:
+  - patch
+
+# nutanix has a separate node manager that uses the service account kube-system/nutanix-cloud-controller-manager.
+# The operator must have these permissions to then grant them to the nutanix node manager. (note it also uses some of the ones requred by vsphere and alibaba)
 - apiGroups:
   - ""
   resources:
diff --git a/pkg/cloud/alibaba/alibaba.go b/pkg/cloud/alibaba/alibaba.go
index 860013f25..e3e20bfc6 100644
--- a/pkg/cloud/alibaba/alibaba.go
+++ b/pkg/cloud/alibaba/alibaba.go
@@ -9,6 +9,7 @@ import (
 	"github.com/openshift/cluster-cloud-controller-manager-operator/pkg/config"
 
 	appsv1 "k8s.io/api/apps/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/openshift/cluster-cloud-controller-manager-operator/pkg/cloud/common"
@@ -21,7 +22,11 @@ var (
 	assetsFs embed.FS
 
 	templates = []common.TemplateSource{
-		{ReferenceObject: &appsv1.Deployment{}, EmbedFsPath: "assets/cloud-controller-manager-deployment.yaml"},
+		{ReferenceObject: &appsv1.Deployment{}, EmbedFsPath: "assets/alibaba-cloud-controller-manager-deployment.yaml"},
+		{ReferenceObject: &rbacv1.Role{}, EmbedFsPath: "assets/alibaba-cloud-controller-manager-role.yaml"},
+		{ReferenceObject: &rbacv1.RoleBinding{}, EmbedFsPath: "assets/alibaba-cloud-controller-manager-rolebinding.yaml"},
+		{ReferenceObject: &rbacv1.ClusterRole{}, EmbedFsPath: "assets/alibaba-cloud-controller-manager-clusterrole.yaml"},
+		{ReferenceObject: &rbacv1.ClusterRoleBinding{}, EmbedFsPath: "assets/alibaba-cloud-controller-manager-clusterrolebinding.yaml"},
 	}
 )
 
diff --git a/pkg/cloud/alibaba/alibaba_test.go b/pkg/cloud/alibaba/alibaba_test.go
index ad2283dd5..8a92ffa57 100644
--- a/pkg/cloud/alibaba/alibaba_test.go
+++ b/pkg/cloud/alibaba/alibaba_test.go
@@ -43,7 +43,7 @@ func TestGetResources(t *testing.T) {
 			}
 
 			resources := assets.GetRenderedResources()
-			assert.Len(t, resources, 1)
+			assert.Len(t, resources, 5)
 		})
 	}
 
diff --git a/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-clusterrole.yaml b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-clusterrole.yaml
new file mode 100644
index 000000000..77d6d2a3a
--- /dev/null
+++ b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-clusterrole.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: alibaba-cloud-controller-manager
+  namespace: openshift-cloud-controller-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules: 
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  - apiGroups:
+    - ""
+    resources:
+    - nodes
+    - nodes/status    
+    - services
+    - services/status
+    verbs:
+    - patch
diff --git a/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-clusterrolebinding.yaml b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-clusterrolebinding.yaml
new file mode 100644
index 000000000..2c4d87a1d
--- /dev/null
+++ b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-clusterrolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: alibaba-cloud-controller-manager:alibaba-cloud-controller-manager
+  namespace: openshift-cloud-controller-manager
+roleRef:
+  kind: ClusterRole
+  name: alibaba-cloud-controller-manager
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: openshift-cloud-controller-manager
+    name: cloud-controller-manager
diff --git a/pkg/cloud/alibaba/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-deployment.yaml
similarity index 100%
rename from pkg/cloud/alibaba/assets/cloud-controller-manager-deployment.yaml
rename to pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-deployment.yaml
diff --git a/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-role.yaml b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-role.yaml
new file mode 100644
index 000000000..e7eb605de
--- /dev/null
+++ b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-role.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: alibaba-cloud-controller-manager
+  namespace: openshift-cloud-controller-manager
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules: 
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - create
+      - update
diff --git a/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-rolebinding.yaml b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-rolebinding.yaml
new file mode 100644
index 000000000..861ae6471
--- /dev/null
+++ b/pkg/cloud/alibaba/assets/alibaba-cloud-controller-manager-rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: alibaba-cloud-controller-manager:alibaba-cloud-controller-manager
+  namespace: openshift-cloud-controller-manager
+roleRef:
+  kind: Role
+  name: alibaba-cloud-controller-manager
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: openshift-cloud-controller-manager
+    name: cloud-controller-manager
diff --git a/pkg/cloud/cloud_test.go b/pkg/cloud/cloud_test.go
index e27f6be2c..1626c847f 100644
--- a/pkg/cloud/cloud_test.go
+++ b/pkg/cloud/cloud_test.go
@@ -104,17 +104,26 @@ func TestGetResources(t *testing.T) {
 		name:                  "Alibaba resources returned as expected",
 		testPlatform:          platformsMap[string(configv1.AlibabaCloudPlatformType)],
 		singleReplica:         false,
-		expectedResourceCount: 2,
+		expectedResourceCount: 6,
 		expectedResourcesKindName: []string{
 			"Deployment/alibaba-cloud-controller-manager",
+			"Role/alibaba-cloud-controller-manager",
+			"RoleBinding/alibaba-cloud-controller-manager:alibaba-cloud-controller-manager",
+			"ClusterRole/alibaba-cloud-controller-manager",
+			"ClusterRoleBinding/alibaba-cloud-controller-manager:alibaba-cloud-controller-manager",
 			"PodDisruptionBudget/alibabacloud-cloud-controller-manager",
 		},
 	}, {
-		name:                      "Alibaba resources returned as expected with single node cluster",
-		testPlatform:              platformsMap[string(configv1.AlibabaCloudPlatformType)],
-		expectedResourceCount:     1,
-		singleReplica:             true,
-		expectedResourcesKindName: []string{"Deployment/alibaba-cloud-controller-manager"},
+		name:                  "Alibaba resources returned as expected with single node cluster",
+		testPlatform:          platformsMap[string(configv1.AlibabaCloudPlatformType)],
+		expectedResourceCount: 5,
+		singleReplica:         true,
+		expectedResourcesKindName: []string{
+			"Deployment/alibaba-cloud-controller-manager",
+			"Role/alibaba-cloud-controller-manager",
+			"RoleBinding/alibaba-cloud-controller-manager:alibaba-cloud-controller-manager",
+			"ClusterRole/alibaba-cloud-controller-manager",
+			"ClusterRoleBinding/alibaba-cloud-controller-manager:alibaba-cloud-controller-manager"},
 	}, {
 		name:                  "AWS resources returned as expected",
 		testPlatform:          platformsMap[string(configv1.AWSPlatformType)],