diff --git a/credentials-operator/templates/credentials-operator-deployment.yaml b/credentials-operator/templates/credentials-operator-deployment.yaml
index eff72479..a0be655d 100644
--- a/credentials-operator/templates/credentials-operator-deployment.yaml
+++ b/credentials-operator/templates/credentials-operator-deployment.yaml
@@ -189,6 +189,16 @@ spec:
           - name: OTTERIZE_TELEMETRY_ERRORS_API_KEY
             value: {{ .Values.global.telemetry.errors.credentialsOperatorApiKey | quote }}
           {{- end }}
+          {{- if .Values.global.aws.rolesAnywhere.enabled }}
+          - name: OTTERIZE_TRUST_DOMAIN
+            value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }}
+          - name: OTTERIZE_TRUST_ANCHOR_ARN
+            value: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+          - name: AWS_SHARED_CREDENTIALS_FILE
+            value: "/aws-config/credentials"
+          - name: AWS_REGION
+            value: {{ .Values.global.aws.region | quote }}
+          {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz
@@ -206,12 +216,21 @@ spec:
           {{- toYaml .Values.resources | nindent 10 }}
         securityContext:
           allowPrivilegeEscalation: false
+# Only runAsNonRoot when not using rolesAnywhere
+{{- if ne true (default .Values.global.aws.rolesAnywhere.enabled false) }}
+          runAsNonRoot: true
+{{- end }}
           capabilities:
             drop:
              - "ALL"
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: webhook-cert
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+        - mountPath: /aws-config
+          name: spiffe
+          readOnly: true
+{{- end }}
 {{- if eq "false" (.Values.global.otterizeCloud.useCloudToGenerateTLSCredentials | toString) }}
         - mountPath: {{ .Values.spire.socketsPath }}
           name: spire-agent-socket
@@ -222,8 +241,6 @@ spec:
           name: api-extra-ca-pem
           readOnly: true
         {{- end }}
-      securityContext:
-        runAsNonRoot: true
       terminationGracePeriodSeconds: 10
       volumes:
 {{- if eq "false" (.Values.global.otterizeCloud.useCloudToGenerateTLSCredentials | toString) }}
@@ -231,6 +248,17 @@ spec:
           path: {{ .Values.spire.socketsPath }}
           type: Directory
         name: spire-agent-socket
+{{- end }}
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+      - name: spiffe
+        csi:
+          driver: spiffe.csi.cert-manager.io
+          readOnly: true
+          volumeAttributes:
+            aws.spiffe.csi.cert-manager.io/trust-profile: {{ .Values.global.aws.rolesAnywhere.credentialsOperatorTrustProfileARN | quote }}
+            aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+            aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }}
+            aws.spiffe.csi.cert-manager.io/enable: "true"
 {{- end }}
       {{ if .Values.global.otterizeCloud.apiExtraCAPEMSecret }}
       - name: api-extra-ca-pem
diff --git a/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml b/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml
index 8826075c..5c22a628 100644
--- a/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml
+++ b/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml
@@ -4,6 +4,11 @@ kind: MutatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: otterize-credentials-operator-mutating-webhook-configuration
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+  labels:
+    app.kubernetes.io/part-of: otterize
+    app.kubernetes.io/component: credentials-operator
+{{- end }}
 webhooks:
   - admissionReviewVersions:
     - v1
diff --git a/credentials-operator/templates/rbac-certmgr.yaml b/credentials-operator/templates/rbac-certmgr.yaml
new file mode 100644
index 00000000..09e3e329
--- /dev/null
+++ b/credentials-operator/templates/rbac-certmgr.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: creds-operator-certificaterequest-creator
+  namespace: otterize-system
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificaterequests"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: credentials-operator-certificaterequest
+  namespace: otterize-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: creds-operator-certificaterequest-creator
+subjects:
+  - kind: ServiceAccount
+    name: credentials-operator-controller-manager
+    namespace: otterize-system
+---
+{{- end }}
\ No newline at end of file
diff --git a/credentials-operator/values.yaml b/credentials-operator/values.yaml
index 4e1cbb82..9eda3568 100644
--- a/credentials-operator/values.yaml
+++ b/credentials-operator/values.yaml
@@ -46,6 +46,8 @@ global:
   aws:
     enabled: false
     useSoftDelete: false
+    rolesAnywhere:
+      enabled: false
     eksClusterNameOverride:
     roleARN:
 
diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml
index 90d67cba..007a1d0a 100644
--- a/intents-operator/templates/intents-operator-deployment.yaml
+++ b/intents-operator/templates/intents-operator-deployment.yaml
@@ -198,7 +198,22 @@ spec:
           - name: OTTERIZE_EXP_ENABLE_EGRESS_NETWORK_POLICIES
             value: "true"
           {{- end }}
+          {{- if .Values.global.aws.rolesAnywhere.enabled }}
+          - name: OTTERIZE_TRUST_DOMAIN
+            value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }}
+          - name: OTTERIZE_TRUST_ANCHOR_ARN
+            value: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+          - name: AWS_SHARED_CREDENTIALS_FILE
+            value: "/aws-config/credentials"
+          - name: AWS_REGION
+            value: {{ .Values.global.aws.region | quote }}
+          {{- end }}
         volumeMounts:
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+        - mountPath: /aws-config
+          name: spiffe
+          readOnly: true
+{{- end }}
         - mountPath: /controller_manager_config.yaml
           name: manager-config
           subPath: controller_manager_config.yaml
@@ -234,8 +249,10 @@ spec:
             memory: 64Mi
         securityContext:
           allowPrivilegeEscalation: false
-      securityContext:
-        runAsNonRoot: true
+# Only runAsNonRoot when not using rolesAnywhere
+{{- if ne true (default .Values.global.aws.rolesAnywhere.enabled false) }}
+          runAsNonRoot: true
+{{- end }}
       serviceAccountName: intents-operator-controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
@@ -261,4 +278,15 @@ spec:
         secret:
           secretName: {{ .Values.global.otterizeCloud.apiExtraCAPEMSecret }}
       {{ end }}
-      - name: cert
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+      - name: spiffe
+        csi:
+          driver: spiffe.csi.cert-manager.io
+          readOnly: true
+          volumeAttributes:
+            aws.spiffe.csi.cert-manager.io/trust-profile: {{ .Values.global.aws.rolesAnywhere.intentsOperatorTrustProfileARN | quote }}
+            aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }}
+            aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }}
+            aws.spiffe.csi.cert-manager.io/enable: "true"
+{{- end }}
+      - name: cert
\ No newline at end of file
diff --git a/intents-operator/templates/rbac-certmgr.yaml b/intents-operator/templates/rbac-certmgr.yaml
new file mode 100644
index 00000000..cf473ba0
--- /dev/null
+++ b/intents-operator/templates/rbac-certmgr.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.global.aws.rolesAnywhere.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: intents-operator-certificaterequest-creator
+  namespace: otterize-system
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificaterequests"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: intents-operator-certificaterequest
+  namespace: otterize-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: intents-operator-certificaterequest-creator
+subjects:
+  - kind: ServiceAccount
+    name: intents-operator-controller-manager
+    namespace: otterize-system
+{{- end }}
\ No newline at end of file
diff --git a/intents-operator/values.yaml b/intents-operator/values.yaml
index 4476c888..71e89c8c 100644
--- a/intents-operator/values.yaml
+++ b/intents-operator/values.yaml
@@ -70,6 +70,8 @@ global:
 
   aws:
     enabled: false
+    rolesAnywhere:
+      enabled: false
     eksClusterNameOverride:
 
   azure:
diff --git a/otterize-kubernetes/values.yaml b/otterize-kubernetes/values.yaml
index 07148f75..18836b9a 100644
--- a/otterize-kubernetes/values.yaml
+++ b/otterize-kubernetes/values.yaml
@@ -7,6 +7,8 @@ global:
 
   aws:
     enabled: false
+    rolesAnywhere:
+      enabled: false
     useSoftDelete: false
     eksClusterNameOverride: