diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index 474d53a..37078f2 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -137,6 +137,28 @@ path \"kv/metadata/atlas/${path}\" {
 }
 "
   done
+  if [ "${role}" = "maintenance" ]; then
+    policy_body="${policy_body}
+path \"sys/auth\" {
+  capabilities = [\"read\"]
+}
+path \"sys/auth/*\" {
+  capabilities = [\"create\", \"update\", \"read\", \"sudo\"]
+}
+path \"auth/kubernetes/*\" {
+  capabilities = [\"create\", \"update\", \"read\"]
+}
+path \"auth/oidc/*\" {
+  capabilities = [\"create\", \"update\", \"read\"]
+}
+path \"sys/policies/acl\" {
+  capabilities = [\"list\"]
+}
+path \"sys/policies/acl/*\" {
+  capabilities = [\"create\", \"update\", \"read\"]
+}
+"
+  fi
 
   log "writing policy ${role}"
   printf '%s\n' "${policy_body}" | vault_cmd policy write "${role}" -