diff --git a/helm/teleport-operator/templates/configmap.yaml b/helm/teleport-operator/templates/configmap.yaml
index e503612a..96c7d2b2 100644
--- a/helm/teleport-operator/templates/configmap.yaml
+++ b/helm/teleport-operator/templates/configmap.yaml
@@ -20,4 +20,8 @@ data:
     # Auth Server. Prefer the address of the Teleport Proxy.
     auth_server: test.teleport.giantswarm.io:443
     # outputs will be filled in during the completion of an access guide.
-    outputs: []
+    outputs:
+      - type: identity
+        destination:
+          type: kubernetes_secret
+          name: identity-output
diff --git a/helm/teleport-operator/templates/tbot-deployment.yaml b/helm/teleport-operator/templates/tbot-deployment.yaml
index 3b44ee5f..4713c01a 100644
--- a/helm/teleport-operator/templates/tbot-deployment.yaml
+++ b/helm/teleport-operator/templates/tbot-deployment.yaml
@@ -76,5 +76,4 @@ spec:
                   expirationSeconds: 600
                   # `example.teleport.sh` must be replaced with the name of
                   # your Teleport cluster.
-                  audience: test.teleport.giantwarm.io
-
+                  audience: gs-teleport-test
diff --git a/internal/pkg/teleport/secret.go b/internal/pkg/teleport/secret.go
index c1639525..50d7ec1b 100644
--- a/internal/pkg/teleport/secret.go
+++ b/internal/pkg/teleport/secret.go
@@ -40,10 +40,10 @@ func GetConfigFromSecret(ctx context.Context, ctrlClient client.Client, namespac
 		return nil, microerror.Mask(err)
 	}
 
-	identityFile, err := getSecretString(secret, key.IdentityFile)
-	if err != nil {
-		return nil, microerror.Mask(err)
-	}
+	// identityFile, err := getSecretString(secret, key.IdentityFile)
+	// if err != nil {
+	// 	return nil, microerror.Mask(err)
+	// }
 
 	managementClusterName, err := getSecretString(secret, key.ManagementClusterName)
 	if err != nil {
@@ -70,8 +70,22 @@ func GetConfigFromSecret(ctx context.Context, ctrlClient client.Client, namespac
 		return nil, microerror.Mask(err)
 	}
 
+	tbotSecret := &corev1.Secret{}
+
+	if err := ctrlClient.Get(ctx, types.NamespacedName{
+		Name:      "identity-output",
+		Namespace: namespace,
+	}, tbotSecret); err != nil {
+		return nil, microerror.Mask(err)
+	}
+
+	identity, err := getSecretString(tbotSecret, "identity")
+	if err != nil {
+		return nil, microerror.Mask(err)
+	}
+
 	return &SecretConfig{
-		IdentityFile:          identityFile,
+		IdentityFile:          identity,
 		ProxyAddr:             proxyAddr,
 		ManagementClusterName: managementClusterName,
 		TeleportVersion:       teleportVersion,