diff --git a/services/vault/k8s-auth-config-cronjob.yaml b/services/vault/k8s-auth-config-cronjob.yaml
index d974f6b..3b74932 100644
--- a/services/vault/k8s-auth-config-cronjob.yaml
+++ b/services/vault/k8s-auth-config-cronjob.yaml
@@ -24,7 +24,7 @@ spec:
               image: hashicorp/vault:1.17.6
               imagePullPolicy: IfNotPresent
               command:
-                - bash
+                - sh
                 - /scripts/vault_k8s_auth_configure.sh
               env:
                 - name: VAULT_ADDR
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index 15973e6..9e2f674 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -1,5 +1,5 @@
-#!/usr/bin/env bash
-set -euo pipefail
+#!/usr/bin/env sh
+set -eu
 
 log() { echo "[vault-k8s-auth] $*"; }
 
@@ -35,13 +35,13 @@ vault write auth/kubernetes/config \
   kubernetes_host="${k8s_host}" \
   kubernetes_ca_cert="${k8s_ca}"
 
-declare -A roles
-roles[outline]=outline-vault
-roles[planka]=planka-vault
-
-for namespace in "${!roles[@]}"; do
+for namespace in outline planka; do
   policy_name="${namespace}"
-  service_account="${roles[$namespace]}"
+  case "${namespace}" in
+    outline) service_account="outline-vault" ;;
+    planka) service_account="planka-vault" ;;
+    *) log "unknown namespace ${namespace}"; exit 1 ;;
+  esac
 
   log "writing policy ${policy_name}"
   vault policy write "${policy_name}" - <<EOF