diff --git a/cluster-service/Makefile b/cluster-service/Makefile
index 852a7ecf7..a06046d9d 100644
--- a/cluster-service/Makefile
+++ b/cluster-service/Makefile
@@ -5,9 +5,11 @@ CONFIG_PROFILE ?= dev
 include ../dev-infrastructure/configurations/$(CONFIG_PROFILE).mk
 
 CONSUMER_NAME ?= $(shell az aks list --query "[?tags.clusterType == 'mgmt-cluster' && starts_with(resourceGroup, '$(REGIONAL_RESOURCEGROUP)')].resourceGroup" -o tsv)
-KEYVAULT_NAME ?= $(shell az keyvault list --query "[?tags.aroHCPPurpose=='service'].name" -g  ${SVC_KV_RESOURCEGROUP} --output tsv)
+KEYVAULT_NAME ?= aro-hcp-dev-svc-kv
 FPA_CERT_NAME ?= firstPartyCert
 AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID ?= "57e54810-3138-4f38-bd3b-29cb33f4c358"
+ARM_HELPER_IDENTITY_CLIENT_ID ?= "2c6ca254-36bd-43c8-a7a8-fe880bc2c489"
+ARM_HELPER_IDENTITY_CERT_NAME ?= aro-dev-arm-helper
 
 deploy:
 	ZONE_RESOURCE_ID=$(shell az network dns zone list -g ${REGIONAL_RESOURCEGROUP} --query "[?zoneType=='Public'].id" -o tsv) && \
@@ -37,6 +39,8 @@ deploy:
 	  -p IMAGE_REPOSITORY=app-sre/uhc-clusters-service \
 	  -p AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID=$${AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID} \
 	  -p FPA_CERT_NAME=${FPA_CERT_NAME} \
+	  -p ARM_HELPER_IDENTITY_CLIENT_ID=${ARM_HELPER_IDENTITY_CLIENT_ID} \
+	  -p ARM_HELPER_IDENTITY_CERT_NAME=${ARM_HELPER_IDENTITY_CERT_NAME}
 	  -p IMAGE_TAG=b16f630 | oc apply -f -
 
 deploy-integ:
@@ -44,7 +48,9 @@ deploy-integ:
 			-g ${RESOURCEGROUP} \
 			-n clusters-service \
 			--query clientId) && \
+	ARM_HELPER_IDENTITY_SERVICE_PRINCIPAL_CLIENT_ID=${ARM_HELPER_IDENTITY_CLIENT_ID} && \
 	oc process --local -f deploy/integration/cluster-service-namespace.yaml \
+	-p ARM_HELPER_IDENTITY_SERVICE_PRINCIPAL_CLIENT_ID=$${ARM_HELPER_IDENTITY_SERVICE_PRINCIPAL_CLIENT_ID} \
 	-p CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} | oc apply -f -
 
 # for local development
diff --git a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
index f69202e1e..ba7245398 100644
--- a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
+++ b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
@@ -233,6 +233,12 @@ parameters:
   value: ""
 - name: FPA_CERT_NAME
   description: The name of the secret that contains the first party application certificate bundle.
+- name: ARM_HELPER_IDENTITY_CLIENT_ID
+  description: The client id of the service principal that represents the ARM Helper Identity.
+  value: "57e54810-3138-4f38-bd3b-29cb33f4c358"
+- name: ARM_HELPER_IDENTITY_CERT_NAME
+  description: The name of the secret that contains the ARM Helper Indentity certificate bundle.
+  value: ""
 
 objects:
 
@@ -256,6 +262,26 @@ objects:
       usePodIdentity: "false"
     provider: azure
 
+- apiVersion: secrets-store.csi.x-k8s.io/v1
+  kind: SecretProviderClass
+  metadata:
+    name: arm-identity
+    namespace: ${NAMESPACE}
+  spec:
+    parameters:
+      clientID: ${ARM_HELPER_IDENTITY_CLIENT_ID}
+      cloudName: AzurePublicCloud
+      keyvaultName: ${ARM_HELPER_IDENTITY_KEYVAULT_NAME}
+      objects: |-
+        array:
+          - |
+            objectName: ${ARM_HELPER_IDENTITY_CERT_NAME}
+            objectType: secret
+            objectAlias: armHelperIndentityCertificateBundle
+      tenantId: ${TENANT_ID}
+      usePodIdentity: "false"
+    provider: azure
+
 - apiVersion: v1
   kind: ConfigMap
   metadata:
@@ -456,6 +482,9 @@ objects:
         - name: azure-credentials
           secret:
             secretName: azure-credentials
+        - name: arm-identity
+          secret:
+            secretName: arm-identity
         - name: keyvault
           csi:
             driver: secrets-store.csi.k8s.io
@@ -523,6 +552,9 @@ objects:
             readOnly: true
           - name: azure-runtime-config
             mountPath: /configs/azure-runtime-config
+          - name: arm-identity
+            mountPath: "/secrets/arm-identity"
+            readOnly: true
           env:
           - name: NAMESPACE
             valueFrom:
@@ -574,6 +606,8 @@ objects:
           - --azure-first-party-application-client-id=${AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID}
           - --azure-first-party-application-certificate-bundle-path=/secrets/keyvault/firstPartyApplicationCertificateBundle
           - --azure-runtime-config-path=/configs/azure-runtime-config/config.json
+          - --arm-helper-identity-client-id=${ARM_HELPER_IDENTITY_CLIENT_ID}
+          - --arm-helper-identity-certificate-bundle-path=/secrets/arm-identity/armHelperIndentityCertificateBundlePath
           livenessProbe:
             httpGet:
               path: /api/clusters_mgmt/v1