diff --git a/azure/deployments/azure-as.json.tpl b/azure/deployments/azure-as.json.tpl
new file mode 100644
index 0000000..54e4bac
--- /dev/null
+++ b/azure/deployments/azure-as.json.tpl
@@ -0,0 +1,23 @@
+{
+    "cloud": "AzurePublicCloud",
+    "subscriptionId": "${subscriptionId}",
+    "tenantId": "${tenantId}",
+    "aadClientId": "${clientId}",
+    "aadClientSecret": "${clientSecret}",
+    "resourceGroup": "${resourceGroup}",
+    "location": "${region}",
+    "vmType": "vmss",
+    "vnetName": "${vnetName}",
+    "vnetResourceGroup": "${resourceGroup}",
+    "loadBalancerSku": "standard",
+    "cloudProviderBackoff": true,
+    "cloudProviderBackoffRetries": 6,
+    "cloudProviderBackoffExponent": 1.5,
+    "cloudProviderBackoffDuration": 5,
+    "cloudProviderBackoffJitter": 1,
+    "cloudProviderRatelimit": true,
+    "cloudProviderRateLimitQPS": 6,
+    "cloudProviderRateLimitBucket": 20,
+    "useManagedIdentityExtension": false,
+    "useInstanceMetadata": false
+}
\ No newline at end of file
diff --git a/azure/deployments/azure-cloud-controller-manager.yaml b/azure/deployments/azure-cloud-controller-manager.yaml
index dcbabc1..d938cf0 100644
--- a/azure/deployments/azure-cloud-controller-manager.yaml
+++ b/azure/deployments/azure-cloud-controller-manager.yaml
@@ -161,7 +161,7 @@ spec:
           effect: NoSchedule
       containers:
         - name: azure-cloud-controller-manager
-          image: mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.26.0
+          image: mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:v1.26.5
           imagePullPolicy: IfNotPresent
           command: ["cloud-controller-manager"]
           args:
diff --git a/azure/deployments/azure.json.tpl b/azure/deployments/azure.json.tpl
index 54e4bac..05f0042 100644
--- a/azure/deployments/azure.json.tpl
+++ b/azure/deployments/azure.json.tpl
@@ -2,8 +2,6 @@
     "cloud": "AzurePublicCloud",
     "subscriptionId": "${subscriptionId}",
     "tenantId": "${tenantId}",
-    "aadClientId": "${clientId}",
-    "aadClientSecret": "${clientSecret}",
     "resourceGroup": "${resourceGroup}",
     "location": "${region}",
     "vmType": "vmss",
@@ -18,6 +16,6 @@
     "cloudProviderRatelimit": true,
     "cloudProviderRateLimitQPS": 6,
     "cloudProviderRateLimitBucket": 20,
-    "useManagedIdentityExtension": false,
-    "useInstanceMetadata": false
+    "useManagedIdentityExtension": true,
+    "useInstanceMetadata": true
 }
\ No newline at end of file
diff --git a/azure/images/README.md b/azure/images/README.md
index 7f7cac6..a2be6e4 100644
--- a/azure/images/README.md
+++ b/azure/images/README.md
@@ -14,11 +14,19 @@ regions         = ["uksouth", "ukwest", "westeurope"]
 ## Init and upload images
 
 ```shell
-wget -q https://github.com/siderolabs/talos/releases/download/v1.3.2/azure-amd64.tar.gz
+wget -q https://github.com/siderolabs/talos/releases/download/v1.3.4/azure-amd64.tar.gz
 tar -xzf azure-amd64.tar.gz && mv disk.vhd disk-x64.vhd
 
-wget -q https://github.com/siderolabs/talos/releases/download/v1.3.2/azure-arm64.tar.gz
+wget -q https://github.com/siderolabs/talos/releases/download/v1.3.4/azure-arm64.tar.gz
 tar -xzf azure-arm64.tar.gz && mv disk.vhd disk-arm64.vhd
 
 terraform init && terraform apply
 ```
+
+## Upgrade images
+
+```shell
+terraform taint 'azurerm_storage_blob.talos["x64"]'
+terraform taint 'azurerm_storage_blob.talos["Arm64"]'
+terraform apply
+```
diff --git a/azure/images/gallery.tf b/azure/images/gallery.tf
index 4a9e392..4085807 100644
--- a/azure/images/gallery.tf
+++ b/azure/images/gallery.tf
@@ -100,7 +100,7 @@ resource "azurerm_image" "talos" {
 
 resource "azurerm_shared_image_version" "talos" {
   for_each            = { for name, k in azurerm_storage_blob.talos : name => k.url }
-  name                = "1.3.2"
+  name                = var.release
   location            = var.regions[0]
   resource_group_name = data.azurerm_resource_group.kubernetes.name
   gallery_name        = azurerm_shared_image.talos[each.key].gallery_name
diff --git a/azure/images/variables.tf b/azure/images/variables.tf
index 2a0c03f..ede4109 100644
--- a/azure/images/variables.tf
+++ b/azure/images/variables.tf
@@ -21,6 +21,12 @@ variable "name" {
   default     = "talos"
 }
 
+variable "release" {
+  description = "The image name"
+  type        = string
+  default     = "1.3.4"
+}
+
 variable "arch" {
   description = "The Talos architecture list"
   type        = list(string)
diff --git a/azure/images/versions.tf b/azure/images/versions.tf
index 4be1a68..8c2a7e9 100644
--- a/azure/images/versions.tf
+++ b/azure/images/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.36.0"
+      version = "~> 3.43.0"
     }
   }
   required_version = ">= 1.2"
diff --git a/azure/init/versions.tf b/azure/init/versions.tf
index ab91ef9..8c2a7e9 100644
--- a/azure/init/versions.tf
+++ b/azure/init/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.19.0"
+      version = "~> 3.43.0"
     }
   }
   required_version = ">= 1.2"
diff --git a/azure/instances-controlplane.tf b/azure/instances-controlplane.tf
index 580cd6a..cfd0d6e 100644
--- a/azure/instances-controlplane.tf
+++ b/azure/instances-controlplane.tf
@@ -24,6 +24,7 @@ module "controlplane" {
   instance_image            = data.azurerm_shared_image_version.talos.id
   instance_tags             = merge(var.tags, { type = "infra" })
   instance_secgroup         = local.network_secgroup[each.key].controlplane
+  instance_role_definition  = var.ccm_role_definition
   instance_params = merge(var.kubernetes, {
     lbv4   = local.network_controlplane[each.key].controlplane_lb[0]
     lbv6   = try(local.network_controlplane[each.key].controlplane_lb[1], "")
@@ -32,8 +33,6 @@ module "controlplane" {
     ccm = templatefile("${path.module}/deployments/azure.json.tpl", {
       subscriptionId = local.subscription_id
       tenantId       = data.azurerm_client_config.terraform.tenant_id
-      clientId       = var.ccm_username
-      clientSecret   = var.ccm_password
       region         = each.key
       resourceGroup  = local.resource_group
       vnetName       = local.network[each.key].name
diff --git a/azure/modules/controlplane/main.tf b/azure/modules/controlplane/main.tf
index 8b7636f..db11119 100644
--- a/azure/modules/controlplane/main.tf
+++ b/azure/modules/controlplane/main.tf
@@ -87,6 +87,10 @@ resource "azurerm_linux_virtual_machine" "controlplane" {
   availability_set_id        = var.instance_availability_set
   network_interface_ids      = [azurerm_network_interface.controlplane[count.index].id]
 
+  identity {
+    type = "SystemAssigned"
+  }
+
   # custom_data = base64encode(templatefile("${path.module}/../../templates/controlplane.yaml",
   #   merge(var.instance_params, {
   #     name        = "controlplane-${lower(var.region)}-${1 + count.index}"
@@ -162,3 +166,10 @@ resource "local_file" "controlplane" {
 
   depends_on = [azurerm_linux_virtual_machine.controlplane]
 }
+
+resource "azurerm_role_assignment" "controlplane" {
+  count                = var.instance_count
+  scope                = "/subscriptions/${var.subscription_id}"
+  role_definition_name = var.instance_role_definition
+  principal_id         = azurerm_linux_virtual_machine.controlplane[count.index].identity[0].principal_id
+}
diff --git a/azure/modules/controlplane/variables.tf b/azure/modules/controlplane/variables.tf
index c8603ff..91aa6be 100644
--- a/azure/modules/controlplane/variables.tf
+++ b/azure/modules/controlplane/variables.tf
@@ -19,6 +19,12 @@ variable "instance_resource_group" {
   default     = ""
 }
 
+variable "instance_role_definition" {
+  description = "Role difinition name"
+  type        = string
+  default     = "Reader"
+}
+
 variable "instance_availability_set" {
   description = "Server availability set"
   type        = string
diff --git a/azure/modules/controlplane/versions.tf b/azure/modules/controlplane/versions.tf
index 8b3d029..8c2a7e9 100644
--- a/azure/modules/controlplane/versions.tf
+++ b/azure/modules/controlplane/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.25.0"
+      version = "~> 3.43.0"
     }
   }
   required_version = ">= 1.2"
diff --git a/azure/variables.tf b/azure/variables.tf
index c22c4c7..d62c759 100644
--- a/azure/variables.tf
+++ b/azure/variables.tf
@@ -1,10 +1,6 @@
 
-variable "ccm_username" {
-  default = ""
-}
-
-variable "ccm_password" {
-  default = ""
+variable "ccm_role_definition" {
+  default = "kubernetes-ccm"
 }
 
 variable "gallery_name" {
diff --git a/azure/versions.tf b/azure/versions.tf
index 8b3d029..8c2a7e9 100644
--- a/azure/versions.tf
+++ b/azure/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.25.0"
+      version = "~> 3.43.0"
     }
   }
   required_version = ">= 1.2"