diff --git a/cloud-init/k3s/cloud_init.cfg b/cloud-init/k3s/cloud_init.cfg
index cc3f84a..a093907 100644
--- a/cloud-init/k3s/cloud_init.cfg
+++ b/cloud-init/k3s/cloud_init.cfg
@@ -26,7 +26,7 @@ write_files:
   # AWS STS will use the public static discovery/JWKS documents served by www
   # at https://makeitwork.cloud/oidc to validate sops-secrets-operator tokens.
   - path: /etc/rancher/k3s/config.yaml.d/service-account-issuer.yaml
-    permissions: '0600'
+    permissions: '0644'
     content: |
       kube-apiserver-arg:
         # First issuer signs new ServiceAccount tokens.