diff --git a/pkg/controllers/registration/registration.go b/pkg/controllers/registration/registration.go
index 909ec84b9..820ebabc1 100644
--- a/pkg/controllers/registration/registration.go
+++ b/pkg/controllers/registration/registration.go
@@ -91,11 +91,30 @@ func (h *handler) OnChange(obj *elm.MachineRegistration, status elm.MachineRegis
 		return status, err
 	}
 
+	secretName := obj.Name + "-token"
+	_, err = h.clients.Core().Secret().Create(&corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: obj.Namespace,
+			Annotations: map[string]string{
+				"kubernetes.io/service-account.name": obj.Name,
+			},
+		},
+		Type: "kubernetes.io/service-account-token",
+	})
+	if err != nil && !apierrors.IsAlreadyExists(err) {
+		return status, fmt.Errorf("add Secret to %s ServiceAccount: %w", obj.Name, err)
+	}
 	_, err = h.clients.Core().ServiceAccount().Create(&corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      obj.Name,
 			Namespace: obj.Namespace,
 		},
+		Secrets: []corev1.ObjectReference{
+			{
+				Name: secretName,
+			},
+		},
 	})
 	if err != nil && !apierrors.IsAlreadyExists(err) {
 		return status, err