diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 87cfec1..b04a3ba 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -39,6 +39,12 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - devportal.kuadrant.io
+  resources:
+  - apikeyrequests/finalizers
+  verbs:
+  - update
 - apiGroups:
   - devportal.kuadrant.io
   resources:
diff --git a/internal/controller/apikeyapproval_controller.go b/internal/controller/apikeyapproval_controller.go
index 4fa33c9..ee11dc6 100644
--- a/internal/controller/apikeyapproval_controller.go
+++ b/internal/controller/apikeyapproval_controller.go
@@ -40,6 +40,7 @@ type APIKeyApprovalReconciler struct {
 
 // +kubebuilder:rbac:groups=devportal.kuadrant.io,resources=apikeyapprovals,verbs=get;list;watch;update;patch;delete
 // +kubebuilder:rbac:groups=devportal.kuadrant.io,resources=apikeyrequests,verbs=get;list;watch
+// +kubebuilder:rbac:groups=devportal.kuadrant.io,resources=apikeyrequests/finalizers,verbs=update
 
 // Reconcile handles reconciling all APIKeyApprovals in a single call. Any resource event should enqueue the
 // same reconcile.Request containing this controller name, i.e. "apikeyapproval". This allows multiple resource updates to
@@ -124,7 +125,6 @@ func (r *APIKeyApprovalReconciler) reconcileOwnerReference(ctx context.Context,
 
 	// Update the APIKeyApproval with the owner reference
 	if err := r.Update(ctx, approval); err != nil {
-		logger.Error(err, "Failed to update APIKeyApproval with owner reference")
 		return err
 	}