diff --git a/hack/prepare-impersonator-on-kind.sh b/hack/prepare-impersonator-on-kind.sh
new file mode 100755
index 00000000..aae4f459
--- /dev/null
+++ b/hack/prepare-impersonator-on-kind.sh
@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+
+# A script to perform the setup required to manually test using the impersonation proxy on a kind cluster.
+# Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh.
+
+set -euo pipefail
+
+# The name of the namespace in which the concierge is installed.
+CONCIERGE_NAMESPACE=concierge
+# The name of the concierge app's Deployment.
+CONCIERGE_DEPLOYMENT=pinniped-concierge
+# The namespace in which the local-user-authenticator app is installed.
+LOCAL_USER_AUTHENTICATOR_NAMESPACE=local-user-authenticator
+# The port on which the impersonation proxy runs in the concierge pods.
+IMPERSONATION_PROXY_PORT=8444
+# The port that we will use to access the impersonator from outside the cluster via `kubectl port-forward`.
+LOCAL_PORT=8777
+LOCAL_HOST="127.0.0.1:${LOCAL_PORT}"
+
+# Change working directory to the top of the repo.
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT"
+
+# Build the CLI for use later in the script.
+go build ./cmd/pinniped
+
+# Create a test user and password.
+if ! kubectl get secret pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE; then
+  kubectl create secret generic pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \
+    --from-literal=groups=group1,group2 \
+    --from-literal=passwordHash="$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")"
+fi
+
+# Get the CA of the local-user-authenticator.
+LOCAL_USER_AUTHENTICATOR_CA=$(kubectl get secret local-user-authenticator-tls-serving-certificate \
+  --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \
+  -o jsonpath=\{.data.caCertificate\})
+
+# Create a WebhookAuthenticator which points at the local-user-authenticator.
+cat <<EOF | kubectl apply -f -
+apiVersion: authentication.concierge.pinniped.dev/v1alpha1
+kind: WebhookAuthenticator
+metadata:
+  name: local-user-authenticator
+spec:
+  endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
+  tls:
+    certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA
+EOF
+
+# Create an RBAC rule to allow the test user to do most things.
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name:  pinny-the-seal-can-edit
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+subjects:
+- kind: User
+  name: pinny-the-seal
+EOF
+
+# Create a configmap to enable the impersonation proxy and set the endpoint to match the
+# host and port that we will use the access the impersonation proxy (via the port-forwarded port).
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pinniped-concierge-impersonation-proxy-config
+  namespace: $CONCIERGE_NAMESPACE
+data:
+  config.yaml: |
+    endpoint: ${LOCAL_HOST}
+    mode: enabled
+EOF
+
+# Wait for the CredentialIssuer's impersonator status to update to be successful.
+while [[ -z "$(kubectl get credentialissuer pinniped-concierge-config -o json |
+  jq '.status.strategies[] | select((.type=="ImpersonationProxy") and (.status=="Success"))')" ]]; do
+  echo "Waiting for a successful ImpersonationProxy strategy on CredentialIssuer..."
+  sleep 2
+done
+echo "Impersonator is available on https://${LOCAL_HOST}"
+
+# Make the impersonation proxy's port from the inside the cluster available locally.
+kubectl port-forward -n $CONCIERGE_NAMESPACE deployment/$CONCIERGE_DEPLOYMENT ${LOCAL_PORT}:${IMPERSONATION_PROXY_PORT} &
+port_forward_pid=$!
+
+# Kill the kubectl port-forward command whenever the script is control-c cancelled or otherwise ends.
+function cleanup() {
+  echo
+  echo "Cleaning up cluster resources..."
+  kubectl delete secret -n $LOCAL_USER_AUTHENTICATOR_NAMESPACE pinny-the-seal
+  kubectl delete configmap -n $CONCIERGE_NAMESPACE pinniped-concierge-impersonation-proxy-config
+  kubectl delete clusterrolebinding pinny-the-seal-can-edit
+  kubectl delete webhookauthenticator local-user-authenticator
+  echo "Stopping kubectl port-forward and exiting..."
+  # It may have already shut down, so ignore errors.
+  kill -9 $port_forward_pid &> /dev/null || true
+}
+trap cleanup EXIT
+
+# Get a working kubeconfig that will send requests through the impersonation proxy.
+./pinniped get kubeconfig \
+  --static-token "pinny-the-seal:password123" \
+  --concierge-mode ImpersonationProxy >/tmp/kubeconfig
+
+echo
+echo 'Ready. In another tab, use "kubectl --kubeconfig /tmp/kubeconfig <cmd>" to make requests through the impersonation proxy.'
+echo "When done, cancel with ctrl-C to clean up."
+wait $port_forward_pid