diff --git a/roles/servicetelemetry/tasks/component_alertmanager.yml b/roles/servicetelemetry/tasks/component_alertmanager.yml
index bcb63e44f..589a1ab74 100644
--- a/roles/servicetelemetry/tasks/component_alertmanager.yml
+++ b/roles/servicetelemetry/tasks/component_alertmanager.yml
@@ -77,6 +77,35 @@
         annotations:
           serviceaccounts.openshift.io/oauth-redirectreference.alertmanager: '{{ alertmanager_oauth_redir_ref | to_json }}'
 
+- name: Create the missing alertmanager-stf ClusterRole
+  k8s:
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: alertmanager-stf
+      rules:
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - nonroot
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
+
 - name: Bind role
   k8s:
     definition:
@@ -88,7 +117,7 @@
       roleRef:
         apiGroup: rbac.authorization.k8s.io
         kind: ClusterRole
-        name: alertmanager-main
+        name: alertmanager-stf
       subjects:
       - kind: ServiceAccount
         name: alertmanager-stf
diff --git a/roles/servicetelemetry/tasks/component_prometheus.yml b/roles/servicetelemetry/tasks/component_prometheus.yml
index eb890c1be..f301d7ea1 100644
--- a/roles/servicetelemetry/tasks/component_prometheus.yml
+++ b/roles/servicetelemetry/tasks/component_prometheus.yml
@@ -76,6 +76,51 @@
   when:
     - observability_strategy in ['use_redhat', 'use_hybrid']
 
+- name: Create the prometheus-stf ClusterRole
+  k8s:
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: prometheus-stf
+      rules:
+        - apiGroups:
+          - ""
+          resources:
+          - nodes/metrics
+          verbs:
+          - get
+        - nonResourceURLs:
+          - /metrics
+          verbs:
+          - get
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        - apiGroups:
+          - ""
+          resources:
+          - namespaces
+          verbs:
+          - get
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - nonroot
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
+
 - name: Bind the local prometheus SA to prometheus cluster role (for oauth perms)
   k8s:
     definition:
@@ -87,7 +132,7 @@
       roleRef:
         apiGroup: rbac.authorization.k8s.io
         kind: ClusterRole
-        name: prometheus-k8s
+        name: prometheus-stf
       subjects:
       - kind: ServiceAccount
         name: prometheus-k8s