diff --git a/hack/aead/aead.go b/hack/aead/aead.go
index 69943ad255c..9b395ecbe62 100644
--- a/hack/aead/aead.go
+++ b/hack/aead/aead.go
@@ -39,10 +39,16 @@ func run(ctx context.Context, log *logrus.Entry) error {
 	if *fileName == "-" {
 		file = os.Stdin
 	} else {
-		file, err = os.Open(*fileName)
+		openedFile, err := os.Open(*fileName)
 		if err != nil {
 			return err
 		}
+		defer func() {
+			if closeErr := openedFile.Close(); closeErr != nil {
+				log.WithError(closeErr).Warn("failed to close file")
+			}
+		}()
+		file = openedFile
 	}
 
 	scanner := bufio.NewScanner(file)
diff --git a/hack/role/role.go b/hack/role/role.go
index e8ec3849009..acf2d9f772c 100644
--- a/hack/role/role.go
+++ b/hack/role/role.go
@@ -340,6 +340,9 @@ func (m *manager) GetAzureProviderSpec(manifest string) (*cloudcredentialv1.Azur
 	if err != nil {
 		return nil, fmt.Errorf("failed to open manifest: %w", err)
 	}
+	defer func() {
+		_ = f.Close()
+	}()
 
 	credreq, err := GetAzureCredentialsRequest(f)
 	if err != nil {