diff --git a/vault/kubernetes-roles/authentik.yaml b/vault/kubernetes-roles/authentik.yaml
new file mode 100644
index 0000000..bf99e04
--- /dev/null
+++ b/vault/kubernetes-roles/authentik.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - authentik-secret
+bound_service_account_namespaces:
+  - authentik
+token_policies:
+  - authentik
diff --git a/vault/policy/authentik.hcl b/vault/policy/authentik.hcl
new file mode 100644
index 0000000..916bb88
--- /dev/null
+++ b/vault/policy/authentik.hcl
@@ -0,0 +1,3 @@
+path "secret/data/authentik" {
+    capabilities = ["read"]
+}