diff --git a/library/common-test/tests/pod/service_account_name_test.yaml b/library/common-test/tests/pod/service_account_name_test.yaml
index 2023ca44f4..35bb7b3ae3 100644
--- a/library/common-test/tests/pod/service_account_name_test.yaml
+++ b/library/common-test/tests/pod/service_account_name_test.yaml
@@ -19,6 +19,7 @@ tests:
       serviceAccount:
         sa-name1:
           enabled: true
+          primary: true
     asserts:
       - documentIndex: &cronJobDoc 1
         isKind:
@@ -55,6 +56,7 @@ tests:
       serviceAccount:
         sa-name1:
           enabled: true
+          primary: true
           targetSelectAll: true
     asserts:
       - documentIndex: &deploymentDoc 1
@@ -88,6 +90,7 @@ tests:
       serviceAccount:
         sa-name1:
           enabled: true
+          primary: true
           targetSelector:
             - workload-name1
             - workload-name2
@@ -119,6 +122,7 @@ tests:
       serviceAccount:
         sa-name1:
           enabled: true
+          primary: true
           targetSelector:
             - workload-name1
         sa-name2:
diff --git a/library/common-test/tests/serviceAccount/metadata_test.yaml b/library/common-test/tests/serviceAccount/metadata_test.yaml
index e2e4a3307e..a25f0ae50c 100644
--- a/library/common-test/tests/serviceAccount/metadata_test.yaml
+++ b/library/common-test/tests/serviceAccount/metadata_test.yaml
@@ -20,6 +20,7 @@ tests:
       serviceAccount:
         my-sa1:
           enabled: true
+          primary: true
           labels:
             label1: "{{ .Values.label1 }}"
             label2: label2
diff --git a/library/common-test/tests/serviceAccount/validation_test.yaml b/library/common-test/tests/serviceAccount/validation_test.yaml
index 7b6df9d73b..215375d3e5 100644
--- a/library/common-test/tests/serviceAccount/validation_test.yaml
+++ b/library/common-test/tests/serviceAccount/validation_test.yaml
@@ -5,8 +5,12 @@ tests:
   - it: should fail with name longer than 63 characters
     set:
       serviceAccount:
+        my-sa:
+          enabled: true
+          primary: true
         my-service-account-super-long-name-that-is-longer-than-63-characters:
           enabled: true
+          primary: false
     asserts:
       - failedTemplate:
           errorMessage: Name [release-name-common-test-my-service-account-super-long-name-that-is-longer-than-63-characters] is not valid. Must start and end with an alphanumeric character. It can contain '-'. And must be at most 63 characters.
@@ -14,19 +18,22 @@ tests:
   - it: should fail with name starting with underscore
     set:
       serviceAccount:
-        _my-sa:
+        my-sa1:
           enabled: true
-          data:
-            foo: bar
+          primary: true
+        _my-sa2:
+          enabled: true
+          primary: false
     asserts:
       - failedTemplate:
-          errorMessage: Name [release-name-common-test-_my-sa] is not valid. Must start and end with an alphanumeric character. It can contain '-'. And must be at most 63 characters.
+          errorMessage: Name [release-name-common-test-_my-sa2] is not valid. Must start and end with an alphanumeric character. It can contain '-'. And must be at most 63 characters.
 
   - it: should fail with labels not a dict
     set:
       serviceAccount:
         my-sa:
           enabled: true
+          primary: true
           labels: "not a dict"
     asserts:
       - failedTemplate:
@@ -37,6 +44,7 @@ tests:
       serviceAccount:
         my-sa:
           enabled: true
+          primary: true
           annotations: "not a dict"
     asserts:
       - failedTemplate:
@@ -54,3 +62,16 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: Service Account - Only one service account can be primary
+
+  - it: should fail without any primary on enabled service accounts
+    set:
+      serviceAccount:
+        my-sa:
+          enabled: true
+          primary: false
+        my-sa2:
+          enabled: true
+          primary: false
+    asserts:
+      - failedTemplate:
+          errorMessage: Service Account - At least one enabled service account must be primary
diff --git a/library/common/1.0.0/templates/lib/serviceAccount/_validation.tpl b/library/common/1.0.0/templates/lib/serviceAccount/_validation.tpl
index 3b0d6d2275..cb611c96bf 100644
--- a/library/common/1.0.0/templates/lib/serviceAccount/_validation.tpl
+++ b/library/common/1.0.0/templates/lib/serviceAccount/_validation.tpl
@@ -33,11 +33,13 @@ objectData:
 
   {{/* Initialize values */}}
   {{- $hasPrimary := false -}}
+  {{- $hasEnabled := false -}}
 
   {{- range $name, $serviceAccount := .Values.serviceAccount -}}
 
     {{/* If service account is enabled */}}
     {{- if $serviceAccount.enabled -}}
+      {{- $hasEnabled = true -}}
 
       {{/* And service account is primary */}}
       {{- if and (hasKey $serviceAccount "primary") ($serviceAccount.primary) -}}
@@ -54,4 +56,9 @@ objectData:
     {{- end -}}
   {{- end -}}
 
+  {{/* Require at least one primary service account, if any enabled */}}
+  {{- if and $hasEnabled (not $hasPrimary) -}}
+    {{- fail "Service Account - At least one enabled service account must be primary" -}}
+  {{- end -}}
+
 {{- end -}}