diff --git a/.changelog/3928.txt b/.changelog/3928.txt
new file mode 100644
index 0000000000..cfff98bf76
--- /dev/null
+++ b/.changelog/3928.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+terminating-gateways: Remove unnecessary permissions from terminating gateways role
+```
diff --git a/charts/consul/templates/terminating-gateways-role.yaml b/charts/consul/templates/terminating-gateways-role.yaml
index 4ae280ca81..51e37664d3 100644
--- a/charts/consul/templates/terminating-gateways-role.yaml
+++ b/charts/consul/templates/terminating-gateways-role.yaml
@@ -16,25 +16,14 @@ metadata:
     release: {{ $root.Release.Name }}
     component: terminating-gateway
     terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
-{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }}
-rules:
 {{- if $root.Values.global.enablePodSecurityPolicies }}
+rules:
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
     resourceNames:
       -  {{ template "consul.fullname" $root }}-{{ .name }}
     verbs:
       - use
-{{- end }}
-{{- if $root.Values.global.acls.manageSystemACLs }}
-  - apiGroups: [""]
-    resources:
-      - secrets
-    resourceNames:
-      -  {{ template "consul.fullname" $root }}-{{ .name }}-acl-token
-    verbs:
-      - get
-{{- end }}
 {{- else }}
 rules: []
 {{- end }}
diff --git a/charts/consul/test/unit/terminating-gateways-role.bats b/charts/consul/test/unit/terminating-gateways-role.bats
index f109a2dd23..5c0fb571a2 100644
--- a/charts/consul/test/unit/terminating-gateways-role.bats
+++ b/charts/consul/test/unit/terminating-gateways-role.bats
@@ -32,23 +32,6 @@ load _helpers
   [ "${actual}" = "podsecuritypolicies" ]
 }
 
-@test "terminatingGateways/Role: rules for global.acls.manageSystemACLs=true" {
-  cd `chart_dir`
-  local object=$(helm template \
-      -s templates/terminating-gateways-role.yaml  \
-      --set 'terminatingGateways.enabled=true' \
-      --set 'connectInject.enabled=true' \
-      --set 'global.acls.manageSystemACLs=true' \
-      . | tee /dev/stderr |
-      yq -s -r '.[0].rules[0]' | tee /dev/stderr)
-
-  local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr)
-  [ "${actual}" = "secrets" ]
-
-  local actual=$(echo $object | yq -r '.resourceNames[0]' | tee /dev/stderr)
-  [ "${actual}" = "release-name-consul-terminating-gateway-acl-token" ]
-}
-
 @test "terminatingGateways/Role: rules is empty if no ACLs, PSPs" {
   cd `chart_dir`
   local actual=$(helm template \
@@ -70,7 +53,7 @@ load _helpers
       --set 'global.enablePodSecurityPolicies=true' \
       . | tee /dev/stderr |
       yq -s -r '.[0].rules | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "1" ]
 }
 
 @test "terminatingGateways/Role: rules for ACLs, PSPs with multiple gateways" {
@@ -93,10 +76,10 @@ load _helpers
   [ "${actual}" = "release-name-consul-gateway2" ]
 
   local actual=$(echo $object | yq '.[0].rules | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "1" ]
 
   local actual=$(echo $object | yq '.[1].rules | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "1" ]
 
   local actual=$(echo $object | yq '.[2] | length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]