diff --git a/manifests/artemis/argocd/backstage-rbac.yaml b/manifests/artemis/argocd/backstage-rbac.yaml
new file mode 100644
index 0000000..54861e8
--- /dev/null
+++ b/manifests/artemis/argocd/backstage-rbac.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backstage-argocd-server-access
+subjects:
+  - kind: ServiceAccount
+    name: backstage-argocd
+    namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-server
diff --git a/manifests/artemis/argocd/backstage-sa.yaml b/manifests/artemis/argocd/backstage-sa.yaml
new file mode 100644
index 0000000..be961e6
--- /dev/null
+++ b/manifests/artemis/argocd/backstage-sa.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backstage-argocd
+  namespace: argocd
diff --git a/manifests/artemis/argocd/kustomization.yaml b/manifests/artemis/argocd/kustomization.yaml
index 29eaaf0..739aaa4 100644
--- a/manifests/artemis/argocd/kustomization.yaml
+++ b/manifests/artemis/argocd/kustomization.yaml
@@ -8,6 +8,8 @@ resources:
   - github.com/argoproj/argo-cd/manifests/cluster-install?ref=v3.2.0
   - ingressRoute.yaml
   - certificate.yaml
+  - backstage-sa.yaml
+  - backstage-rbac.yaml
 
 patches:
   - target:
@@ -120,17 +122,6 @@ patches:
         kind: ClusterRole
         name: argocd-server
 
-  # Backstage ServiceAccount
-  - target:
-      kind: ServiceAccount
-      name: backstage-argocd
-    patch: |-
-      apiVersion: v1
-      kind: ServiceAccount
-      metadata:
-        name: backstage-argocd
-        namespace: argocd
-
   # Map Backstage SA to Argo CD role:admin (full Argo CD permissions)
   - target:
       kind: ConfigMap
@@ -150,22 +141,3 @@ patches:
           p, argocd_users, applications, get, *, allow
           # Backstage SA -> role:admin
           g, system:serviceaccount:argocd:backstage-argocd, role:admin
-
-  # Optional: bind Backstage SA to argocd-server ClusterRole for Kubernetes-level API verbs Argo CD server uses
-  # If you only need Argo CD RBAC, you can omit this block
-  - target:
-      kind: ClusterRoleBinding
-      name: backstage-argocd-server-access
-    patch: |-
-      apiVersion: rbac.authorization.k8s.io/v1
-      kind: ClusterRoleBinding
-      metadata:
-        name: backstage-argocd-server-access
-      subjects:
-        - kind: ServiceAccount
-          name: backstage-argocd
-          namespace: argocd
-      roleRef:
-        apiGroup: rbac.authorization.k8s.io
-        kind: ClusterRole
-        name: argocd-server