diff --git a/deploy/charts/disco-agent/templates/rbac.yaml b/deploy/charts/disco-agent/templates/rbac.yaml
index cc8ca8aa..92bd1349 100644
--- a/deploy/charts/disco-agent/templates/rbac.yaml
+++ b/deploy/charts/disco-agent/templates/rbac.yaml
@@ -110,3 +110,33 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "disco-agent.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "disco-agent.fullname" . }}-eso-reader
+  labels:
+    {{- include "disco-agent.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["external-secrets.io"]
+    resources:
+    - externalsecrets
+    - clusterexternalsecrets
+    - secretstores
+    - clustersecretstores
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "disco-agent.fullname" . }}-eso-reader
+  labels:
+    {{- include "disco-agent.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "disco-agent.fullname" . }}-eso-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "disco-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}