diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
index ff72afe11..81ef99811 100644
--- a/dev-infrastructure/modules/aks-cluster-base.bicep
+++ b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -395,7 +395,7 @@ module serviceAccounts './aks-manifest.bicep' = {
         apiVersion: 'v1'
         kind: 'ServiceAccount'
         metadata: {
-          name: workloadIdentities[i].value.uamiName
+          name: workloadIdentities[i].value.serviceAccountName
           namespace: workloadIdentities[i].value.namespace
           annotations: {
             'azure.workload.identity/client-id': uami[i].properties.clientId
diff --git a/dev-infrastructure/modules/aks-manifest.bicep b/dev-infrastructure/modules/aks-manifest.bicep
index c1e9aae5a..6ecb5b3bb 100644
--- a/dev-infrastructure/modules/aks-manifest.bicep
+++ b/dev-infrastructure/modules/aks-manifest.bicep
@@ -3,15 +3,18 @@ param aksClusterName string
 param location string
 param aksManagedIdentityId string
 param manifests array
+param forceUpdateTag string = guid(string(manifests))
 
-var namespaces = [for manifest in manifests: manifest.metadata.namespace]
+var namespaces = [
+  for manifest in filter(manifests, m => contains(m.metadata, 'namespace')): manifest.metadata.namespace
+]
 var uniqueNamespaces = union(namespaces, [])
 var namespaceManifests = [
-  for i in range(0, length(uniqueNamespaces)): {
+  for ns in uniqueNamespaces: {
     apiVersion: 'v1'
     kind: 'Namespace'
     metadata: {
-      name: uniqueNamespaces[i]
+      name: ns
     }
   }
 ]
@@ -54,6 +57,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
     // * avoid the need for a network path to the cluster
     //
     // right now az aks command invoke fails with `MissingAADClusterToken` when run within a deploymentscript
+    forceUpdateTag: forceUpdateTag
     environmentVariables: [
       {
         name: 'AKS_CLUSTER_RG'