diff --git a/services/vault/scripts/vault_oidc_configure.sh b/services/vault/scripts/vault_oidc_configure.sh
index 01b0696..3d14e52 100644
--- a/services/vault/scripts/vault_oidc_configure.sh
+++ b/services/vault/scripts/vault_oidc_configure.sh
@@ -84,8 +84,10 @@ configure_role() {
     return
   fi
   claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
+  claims_file="$(mktemp)"
+  printf '%s' "${claims}" > "${claims_file}"
   scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')"
-  role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=${claims} bound_claims_type=${bound_claims_type}"
+  role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=@${claims_file} bound_claims_type=${bound_claims_type}"
   if [ -n "${groups_claim}" ]; then
     role_args="${role_args} groups_claim=${groups_claim}"
   fi
@@ -100,6 +102,7 @@ configure_role() {
   IFS=$old_ifs
   log "configuring oidc role ${role_name}"
   vault write "auth/oidc/role/${role_name}" ${role_args}
+  rm -f "${claims_file}"
 }
 
 configure_role "admin" "${admin_group}" "${admin_policies}"