diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go
index 913d0ace..b5d806ab 100644
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@@ -89,6 +89,7 @@ func (p *ACME) Init(config Config) (err error) {
 // on the resulting certificate.
 func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	return []SignOption{
+		p,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeACME, p.Name, ""),
 		newForceCNOption(p.ForceCN),
diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index 5f79d7d0..9d27e016 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -467,6 +467,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return append(so,
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID),
diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go
index d9654566..58ce47b3 100644
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@@ -349,6 +349,7 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	return append(so,
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID),
diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go
index 6070b640..69d909a2 100644
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@@ -262,6 +262,7 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return append(so,
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName),
diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
index c014bec0..3c5032fb 100644
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@@ -170,6 +170,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),
diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go
index 557d571a..083773e0 100644
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@@ -231,6 +231,7 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeK8sSA, p.Name, ""),
diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go
index 1a6eee3e..4216e997 100644
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@@ -144,6 +144,7 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeNebula, p.Name, ""),
diff --git a/authority/provisioner/noop.go b/authority/provisioner/noop.go
index 1709fbca..39661e54 100644
--- a/authority/provisioner/noop.go
+++ b/authority/provisioner/noop.go
@@ -38,7 +38,7 @@ func (p *noop) Init(config Config) error {
 }
 
 func (p *noop) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
-	return []SignOption{}, nil
+	return []SignOption{p}, nil
 }
 
 func (p *noop) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index 1fc9bb4b..3a9398a2 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -345,6 +345,7 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 	}
 
 	return []SignOption{
+		o,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),
diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go
index f4cffd78..9dc1edd8 100644
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@@ -121,6 +121,7 @@ func (s *SCEP) Init(config Config) (err error) {
 // on the resulting certificate.
 func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	return []SignOption{
+		s,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeSCEP, s.Name, ""),
 		newForceCNOption(s.ForceCN),
diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go
index 6f534c76..4f3e5899 100644
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@@ -218,6 +218,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	}
 
 	return []SignOption{
+		p,
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeX5C, p.Name, ""),