diff --git a/08_Vault/auth-token-secret.yaml b/08_Vault/auth-token-secret.yaml
new file mode 100644
index 0000000..6a3c5e1
--- /dev/null
+++ b/08_Vault/auth-token-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-auth-token
+  annotations:
+    kubernetes.io/service-account.name: vault-auth
+type: kubernetes.io/service-account-token
+
diff --git a/08_Vault/justfile b/08_Vault/justfile
index 6711338..f912f0a 100644
--- a/08_Vault/justfile
+++ b/08_Vault/justfile
@@ -50,10 +50,77 @@ install:
     kubectl wait pod --for=condition=PodReadyToStartContainers \
         -n ${K8S_VAULT_NAMESPACE} vault-0 --timeout=5m
 
+    # Wait for Vault service to be ready to accept connections
+    echo "Waiting for Vault service to be ready..."
+    for i in {1..30}; do
+        if kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- \
+            vault status 2>&1 | grep -qE "(Initialized|Sealed)"; then
+            echo "✓ Vault service is ready"
+            break
+        fi
+        if [ $i -eq 30 ]; then
+            echo "Error: Timeout waiting for Vault service to be ready"
+            exit 1
+        fi
+        sleep 3
+    done
+
+    init_output=$(kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- \
+        vault operator init -key-shares=1 -key-threshold=1 -format=json || true)
+
+    root_token=""
+    if echo "${init_output}" | grep -q "Vault is already initialized"; then
+        echo "Vault is already initialized"
+        while [ -z "${root_token}" ]; do
+            root_token=$(gum input --prompt="Vault root token: " --password --width=100)
+        done
+    else
+        unseal_key=$(echo "${init_output}" | jq -r '.unseal_keys_b64[0]')
+        root_token=$(echo "${init_output}" | jq -r '.root_token')
+        kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- \
+            vault operator unseal "${unseal_key}"
+        echo "Vault initialized and unsealed successfully"
+        echo "Root Token: ${root_token}"
+        echo "Unseal Key: ${unseal_key}"
+        echo "Please save these credentials securely!"
+    fi
+
+    # Wait for all vault instances to pass readiness checks and be ready to serve requests
+    kubectl wait pod --for=condition=ready -n ${K8S_VAULT_NAMESPACE} \
+        -l app.kubernetes.io/name=vault --timeout=5m
+
+    just setup-kubernetes-auth "${root_token}"
+
 
 # Uninstall Vault
 uninstall delete-ns='false':
     #!/bin/bash
     set -euo pipefail
     helm uninstall vault -n ${K8S_VAULT_NAMESPACE} --ignore-not-found --wait
-    just delete-namespace
\ No newline at end of file
+    just delete-namespace
+
+
+# Setup Kubernetes authentication
+setup-kubernetes-auth root_token='':
+    #!/bin/bash
+    set -euo pipefail
+    export VAULT_TOKEN="{{ root_token }}"
+    while [ -z "${VAULT_TOKEN}" ]; do
+        VAULT_TOKEN=$(gum input --prompt="Vault root token: " --password --width=100)
+    done
+
+    gomplate -f ./serviceaccount.gomplate.yaml | kubectl apply -n "${K8S_VAULT_NAMESPACE}" -f -
+    gomplate -f ./rolebinding.gomplate.yaml | kubectl apply -n "${K8S_VAULT_NAMESPACE}" -f -
+    kubectl apply -n "${K8S_VAULT_NAMESPACE}" -f ./auth-token-secret.yaml
+
+    SA_SECRET="vault-auth-token"
+    SA_JWT=$(kubectl get secret -n ${K8S_VAULT_NAMESPACE} ${SA_SECRET} -o jsonpath='{.data.token}' | base64 --decode)
+    SA_CA=$(kubectl get secret -n ${K8S_VAULT_NAMESPACE} ${SA_SECRET} -o jsonpath='{.data.ca\.crt}' | base64 --decode)
+
+    vault auth list -format=json | jq -e '.["kubernetes/"]' >/dev/null 2>&1 || \
+        vault auth enable kubernetes
+    
+    vault write auth/kubernetes/config \
+        token_reviewer_jwt="${SA_JWT}" \
+        kubernetes_host="https://kubernetes.default.svc" \
+        kubernetes_ca_cert="${SA_CA}"
diff --git a/08_Vault/rolebinding.gomplate.yaml b/08_Vault/rolebinding.gomplate.yaml
new file mode 100644
index 0000000..12e7dd4
--- /dev/null
+++ b/08_Vault/rolebinding.gomplate.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-auth-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: vault-auth
+    namespace: {{ .Env.K8S_VAULT_NAMESPACE }}
diff --git a/08_Vault/serviceaccount.gomplate.yaml b/08_Vault/serviceaccount.gomplate.yaml
new file mode 100644
index 0000000..784299e
--- /dev/null
+++ b/08_Vault/serviceaccount.gomplate.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth
+  namespace: {{ .Env.K8S_VAULT_NAMESPACE }}