diff --git a/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml b/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
index 860c149fd..3720cbfcc 100644
--- a/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
+++ b/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
@@ -38,7 +38,7 @@ spec:
         assume_role_with_web_identity {
           session_name = "kubefirst-pro"
           role_arn = "<WORKLOAD_ASSUME_ROLE>"
-          web_identity_token_file = "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
+          web_identity_token_file = "/vault/secret/jwt-token"
         }
       }
   credentials:
diff --git a/civo-github/templates/mgmt/components/argocd/argocd-application-controller-sa.yaml b/civo-github/templates/mgmt/components/argocd/argocd-application-controller-sa.yaml
new file mode 100644
index 000000000..dbeb7d4ef
--- /dev/null
+++ b/civo-github/templates/mgmt/components/argocd/argocd-application-controller-sa.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "sa-argocd-application-controller" 
+    vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+    vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+    vault.hashicorp.com/agent-inject-template-jwt-token: |
+      {{- with secret "identity/oidc/token/federated" -}}
+      {{ .Data.token }}
+      {{- end }}
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+  namespace: argocd
diff --git a/civo-github/templates/mgmt/components/argocd/argocd-server-sa.yaml b/civo-github/templates/mgmt/components/argocd/argocd-server-sa.yaml
new file mode 100644
index 000000000..618773df7
--- /dev/null
+++ b/civo-github/templates/mgmt/components/argocd/argocd-server-sa.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "sa-argocd-server" 
+    vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+    vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+    vault.hashicorp.com/agent-inject-template-jwt-token: |
+      {{- with secret "identity/oidc/token/federated" -}}
+      {{ .Data.token }}
+      {{- end }}
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+  namespace: argocd
diff --git a/civo-github/templates/mgmt/components/argocd/kustomization.yaml b/civo-github/templates/mgmt/components/argocd/kustomization.yaml
index 00ddbc540..11671f0da 100644
--- a/civo-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/civo-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -13,6 +13,8 @@ resources:
 patchesStrategicMerge:
   - argocd-cm.yaml
   - argocd-cmd-params-cm.yaml
+  - argocd-server-sa.yaml
+  - argocd-application-controller-sa.yaml
   
 generatorOptions:
   disableNameSuffixHash: true
diff --git a/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml b/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
index 3d9e9f701..8969f7721 100644
--- a/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
+++ b/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
@@ -7,6 +7,17 @@ metadata:
     app: crossplane-provider-terraform
   name: terraform-config
 spec:
+  metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: '10'
+      vault.hashicorp.com/agent-inject: "true"
+      vault.hashicorp.com/role: "sa-crossplane-provider-terraform" 
+      vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+      vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+      vault.hashicorp.com/agent-inject-template-jwt-token: |
+        {{- with secret "identity/oidc/token/federated" -}}
+        {{ .Data.token }}
+        {{- end }}
   args:
   - -d
   - --poll=2m
diff --git a/civo-github/templates/mgmt/components/kubefirst/console.yaml b/civo-github/templates/mgmt/components/kubefirst/console.yaml
index cedff7331..59821c89a 100644
--- a/civo-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/civo-github/templates/mgmt/components/kubefirst/console.yaml
@@ -26,6 +26,15 @@ spec:
           kubefirstVersion: "<KUBEFIRST_VERSION>"
           useTelemetry: "<USE_TELEMETRY>"
         kubefirst-pro-api:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "sa-kubefirst-pro-api" 
+            vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+            vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+            vault.hashicorp.com/agent-inject-template-jwt-token: |
+              {{- with secret "identity/oidc/token/federated" -}}
+              {{ .Data.token }}
+              {{- end }}
           extraEnv:
             CLUSTER_NAME: "<CLUSTER_NAME>"
         kubefirst-pro-ui:
diff --git a/civo-github/terraform/vault/identity-token.tf b/civo-github/terraform/vault/identity-token.tf
new file mode 100644
index 000000000..19b99e16d
--- /dev/null
+++ b/civo-github/terraform/vault/identity-token.tf
@@ -0,0 +1,32 @@
+resource "vault_identity_oidc" "this" {
+  issuer = "https://vault.<DOMAIN_NAME>"
+}
+
+resource "vault_identity_oidc_key" "federated" {
+  name      = "federated"
+  algorithm = "RS256"
+}
+
+resource "vault_identity_oidc_role" "federated" {
+  name = "federated"
+  key  = vault_identity_oidc_key.federated.id
+  # This is temporary
+  client_id = "kubefirst.konstruct.io/federated"
+  ttl       = 3600
+  template  = <<EOT
+  {
+  "kubernetes.io": {
+    "serviceaccount": {
+      "name": {{identity.entity.aliases.${vault_auth_backend.k8s.accessor}.metadata.service_account_name}},
+       "namespace": {{identity.entity.aliases.${vault_auth_backend.k8s.accessor}.metadata.service_account_namespace}},
+       "uid": {{identity.entity.aliases.${vault_auth_backend.k8s.accessor}.metadata.service_account_uid}}
+      }
+    }
+  }
+EOT
+}
+
+resource "vault_identity_oidc_key_allowed_client_id" "role" {
+  key_name          = vault_identity_oidc_key.federated.name
+  allowed_client_id = vault_identity_oidc_role.federated.client_id
+}
diff --git a/civo-github/terraform/vault/kubernetes-auth-backend.tf b/civo-github/terraform/vault/kubernetes-auth-backend.tf
index 4fb4f994b..8884b2e76 100644
--- a/civo-github/terraform/vault/kubernetes-auth-backend.tf
+++ b/civo-github/terraform/vault/kubernetes-auth-backend.tf
@@ -33,3 +33,39 @@ resource "vault_kubernetes_auth_backend_role" "k8s_external_secrets" {
   token_ttl                        = 86400
   token_policies                   = ["admin", "default"]
 }
+
+resource "vault_kubernetes_auth_backend_role" "k8s_kubefirst_api" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-kubefirst-pro-api"
+  bound_service_account_names      = ["kubefirst-pro-api"]
+  bound_service_account_namespaces = ["kubefirst"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_argocd_server" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-argocd-server"
+  bound_service_account_names      = ["argocd-server"]
+  bound_service_account_namespaces = ["argocd"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_argocd_application_controller" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-argocd-application-controller"
+  bound_service_account_names      = ["argocd-application-controller"]
+  bound_service_account_namespaces = ["argocd"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_crossplane-provider-terraform" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-crossplane-provider-terraform"
+  bound_service_account_names      = ["crossplane-provider-terraform-5e9bbaf0b61c"]
+  bound_service_account_namespaces = ["crossplane-system"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
diff --git a/civo-github/terraform/vault/policies.tf b/civo-github/terraform/vault/policies.tf
index 93bf58075..8c54ebe97 100644
--- a/civo-github/terraform/vault/policies.tf
+++ b/civo-github/terraform/vault/policies.tf
@@ -248,3 +248,14 @@ path "sys/control-group/request" {
 }
 EOT
 }
+
+
+resource "vault_policy" "oidc_token" {
+  name = "oidc_token"
+
+  policy = <<EOT
+path "identity/oidc/token/federated" {
+  capabilities = [ "read" ]
+}
+EOT
+}