diff --git a/docs/terraform/cluster/azure-aks.md b/docs/terraform/cluster/azure-aks.md
index 715b1a45..4f8db885 100644
--- a/docs/terraform/cluster/azure-aks.md
+++ b/docs/terraform/cluster/azure-aks.md
@@ -31,6 +31,11 @@ No modules.
 | [azurerm_kubernetes_cluster_node_pool.autoscaled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool) | resource |
 | [azurerm_log_analytics_workspace.aks_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
 | [azurerm_resource_group.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.aks_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.aks_vmss_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.azurerm_disk_encryption_set_key_vault_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.control_plane_managed_identity_operator_on_kubelet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.des_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_user_assigned_identity.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
 | [local_file.kube_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf
index d969348b..931b7c28 100644
--- a/terraform/cluster/azure-aks/main.tf
+++ b/terraform/cluster/azure-aks/main.tf
@@ -268,6 +268,12 @@ resource "azurerm_kubernetes_cluster" "main" {
     )
   }
 
+  kubelet_identity {
+    client_id                 = azurerm_user_assigned_identity.cluster.client_id
+    object_id                 = azurerm_user_assigned_identity.cluster.principal_id
+    user_assigned_identity_id = azurerm_user_assigned_identity.cluster.id
+  }
+
   lifecycle {
     ignore_changes = [
       default_node_pool[0].upgrade_settings,
@@ -305,3 +311,33 @@ resource "local_file" "kube_config" {
   content  = azurerm_kubernetes_cluster.main.kube_config_raw
   filename = local.kubeconfig_path
 }
+
+resource "azurerm_role_assignment" "aks_vmss_contributor" {
+  scope                = azurerm_resource_group.aks.id
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "azurerm_disk_encryption_set_key_vault_access" {
+  scope                = azurerm_key_vault.key_vault.id
+  role_definition_name = "Key Vault Crypto Service Encryption User"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "aks_network_contributor" {
+  scope                = azurerm_resource_group.aks.id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "des_reader" {
+  scope                = azurerm_disk_encryption_set.main.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}
+
+resource "azurerm_role_assignment" "control_plane_managed_identity_operator_on_kubelet" {
+  scope                = azurerm_user_assigned_identity.cluster.id
+  role_definition_name = "Managed Identity Operator"
+  principal_id         = azurerm_user_assigned_identity.cluster.principal_id
+}