diff --git a/pkg/cloud/services/iam/podidentitywebhook.go b/pkg/cloud/services/iam/podidentitywebhook.go
index a67f82e355..617e904d9c 100644
--- a/pkg/cloud/services/iam/podidentitywebhook.go
+++ b/pkg/cloud/services/iam/podidentitywebhook.go
@@ -326,6 +326,20 @@ func reconcileMutatingWebHook(ctx context.Context, ns string, secret *corev1.Sec
 	}
 
 	if check.UID != "" {
+		updateAnnotations := false
+		if len(check.Annotations) == 0 {
+			check.Annotations = map[string]string{
+				certManagerInjectCAAnnotation: fmt.Sprintf("%s/%s", ns, secret.Name),
+			}
+			updateAnnotations = true
+		} else if check.Annotations[certManagerInjectCAAnnotation] == "" {
+			check.Annotations[certManagerInjectCAAnnotation] = fmt.Sprintf("%s/%s", ns, secret.Name)
+			updateAnnotations = true
+		}
+
+		if updateAnnotations {
+			return remoteClient.Update(ctx, check)
+		}
 		return nil
 	}