diff --git a/metadata.yaml b/metadata.yaml
index 5261e57..169fbca 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -17,12 +17,12 @@ resources:
     type: oci-image
     description: Profile controller image
     auto-fetch: true
-    upstream-source: docker.io/kubeflownotebookswg/profile-controller:v1.8.0-rc.0
+    upstream-source: docker.io/kubeflownotebookswg/profile-controller:v1.8.0-rc.2
   kfam-image:
     type: oci-image
     description: Access Management image
     auto-fetch: true
-    upstream-source: docker.io/kubeflownotebookswg/kfam:v1.8.0-rc.0
+    upstream-source: docker.io/kubeflownotebookswg/kfam:v1.8.0-rc.2
 provides:
   kubeflow-profiles:
     interface: k8s-service
diff --git a/src/charm.py b/src/charm.py
index 04d8438..e4ff262 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -62,6 +62,15 @@ def __init__(self, *args):
         self._lightkube_field_manager = "lightkube"
         self._k8s_resource_handler = None
 
+        # service account names are hardcoded
+        # TODO: implement relation and get from relation data
+        # tracked in https://github.com/canonical/kubeflow-profiles-operator/issues/156
+        self._istio_gateway_principal = (
+            "cluster.local/ns/kubeflow/sa/istio-ingressgateway-workload-service-account"
+        )
+        self._notebook_controller_principal = "cluster.local/ns/kubeflow/sa/jupyter-controller"
+        self._kfp_ui_principal = "cluster.local/ns/kubeflow/sa/kfp-ui"
+
         # setup events to be handled by specific event handlers
         self.framework.observe(self.on.install, self._on_install)
         self.framework.observe(self.on.remove, self._on_remove)
@@ -98,6 +107,23 @@ def _context(self):
         context = {"app_name": self.model.app.name, "model_name": self.model.name}
         return context
 
+    @property
+    def _profiles_service_environment(self):
+        """Return environment variables for kubeflow-profiles container."""
+        return {
+            "ISTIO_INGRESS_GATEWAY_PRINCIPAL": self._istio_gateway_principal,  # noqa E501
+            "NOTEBOOK_CONTROLLER_PRINCIPAL": self._notebook_controller_principal,
+            "KFP_UI_PRINCIPAL": self._kfp_ui_principal,
+        }
+
+    @property
+    def _kfam_service_environment(self):
+        """Return environment variables for kubeflow-kfam container."""
+        return {
+            "ISTIO_INGRESS_GATEWAY_PRINCIPAL": self._istio_gateway_principal,  # noqa E501
+            "KFP_UI_PRINCIPAL": self._kfp_ui_principal,
+        }
+
     @property
     def k8s_resource_handler(self):
         """Update K8S with K8S resources."""
@@ -128,6 +154,7 @@ def _profiles_pebble_layer(self) -> Layer:
                         "command": (
                             "/manager " "-userid-header " "kubeflow-userid " "-userid-prefix " '""'
                         ),
+                        "environment": self._profiles_service_environment,
                         "startup": "enabled",
                     }
                 },
@@ -159,6 +186,7 @@ def _kfam_pebble_layer(self) -> Layer:
                             "-userid-prefix "
                             '""'
                         ),
+                        "environment": self._kfam_service_environment,
                         "startup": "enabled",
                     }
                 },