diff --git a/services/comms/oneoffs/synapse-admin-ensure-job.yaml b/services/comms/oneoffs/synapse-admin-ensure-job.yaml
index 6ea7798..af767cc 100644
--- a/services/comms/oneoffs/synapse-admin-ensure-job.yaml
+++ b/services/comms/oneoffs/synapse-admin-ensure-job.yaml
@@ -1,12 +1,12 @@
 # services/comms/oneoffs/synapse-admin-ensure-job.yaml
-# One-off job for comms/synapse-admin-ensure-4.
-# Purpose: synapse admin ensure 4 (see container args/env in this file).
+# One-off job for comms/synapse-admin-ensure-5.
+# Purpose: synapse admin ensure 5 (see container args/env in this file).
 # Run by setting spec.suspend to false, reconcile, then set it back to true.
 # Safe to delete the finished Job/pod; it should not run continuously.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-admin-ensure-4
+  name: synapse-admin-ensure-5
   namespace: comms
 spec:
   suspend: false
@@ -93,7 +93,9 @@ spec:
                   with open(SA_TOKEN_PATH, "r", encoding="utf-8") as f:
                       jwt = f.read().strip()
                   payload = {"jwt": jwt, "role": VAULT_ROLE}
-                  resp = request_json(f"{VAULT_ADDR}/v1/auth/kubernetes/login", payload)
+                  status, resp = request_json(f"{VAULT_ADDR}/v1/auth/kubernetes/login", payload)
+                  if status != 200:
+                      raise RuntimeError(f"vault login failed: {status} {resp}")
                   token = resp.get("auth", {}).get("client_token")
                   if not token:
                       raise RuntimeError("vault login failed")