diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index 0212180..0b96368 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -68,12 +68,28 @@ if ! vault_cmd auth list -format=json | grep -q '"kubernetes/"'; then
   vault_cmd auth enable kubernetes
 fi
 
+ensure_default_policy_login() {
+  default_policy="$(vault_cmd policy read default)"
+  if printf '%s' "${default_policy}" | grep -q 'auth/kubernetes/login'; then
+    return
+  fi
+  log "updating default policy to allow kubernetes login"
+  default_policy="${default_policy}
+path \"auth/kubernetes/login\" {
+  capabilities = [\"create\", \"update\"]
+}
+"
+  printf '%s\n' "${default_policy}" | vault_cmd policy write default -
+}
+
 log "configuring kubernetes auth"
 vault_cmd write auth/kubernetes/config \
   token_reviewer_jwt="${token_reviewer_jwt}" \
   kubernetes_host="${k8s_host}" \
   kubernetes_ca_cert="${k8s_ca}"
 
+ensure_default_policy_login
+
 write_raw_policy() {
   name="$1"
   body="$2"