diff --git a/helm/templates/rbac.yaml b/helm/templates/rbac.yaml
index c5fae5d3a2616..3105e1a604b63 100644
--- a/helm/templates/rbac.yaml
+++ b/helm/templates/rbac.yaml
@@ -27,7 +27,21 @@ rules:
     - patch
     - update
     - watch
-
+{{- if .Values.coder.serviceAccount.enableDeployments }}
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/helm/values.yaml b/helm/values.yaml
index c7cb3237717a8..8b33481b78ee1 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -73,6 +73,9 @@ coder:
     # It is recommended to keep this on if you are using Kubernetes templates
     # within Coder.
     workspacePerms: true
+    # coder.serviceAccount.enableDeployments -- Provides the service account permission
+    # to manage Kubernetes deployments.
+    enableDeployments: false
     # coder.serviceAccount.annotations -- The Coder service account annotations.
     annotations: {}
     # coder.serviceAccount.name -- The service account name