diff --git a/manifests/vault/oidc-job.yaml b/manifests/vault/oidc-job.yaml
index 25b9763..dc508be 100644
--- a/manifests/vault/oidc-job.yaml
+++ b/manifests/vault/oidc-job.yaml
@@ -8,11 +8,10 @@ spec:
     spec:
       restartPolicy: OnFailure
       containers:
-      - name: oidc-setup
-        image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl
-        command: ["/bin/sh", "-c"]
-        args:
-          - |
+        - name: oidc-setup
+          image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl
+          command: ["/bin/sh", "-c"]
+          args: |-
             echo "⏳ Waiting for Vault to become available..."
             until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
               sleep 2
@@ -29,14 +28,14 @@ spec:
               oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
               oidc_client_id="vault" \
               oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
-              default_role="default"
+              default_role="vault-admins"
 
-            echo "📜 Writing Vault policy..."
+            echo "📜 Writing Vault policy: oidc-ui-access"
             vault policy write oidc-ui-access - <<EOF
             path "auth/oidc/role/default" {
               capabilities = ["read"]
             }
-            EOF
+EOF
 
             echo "🎯 Creating OIDC role named 'default'..."
             vault write auth/oidc/role/default \
@@ -48,11 +47,31 @@ spec:
               policies="default" \
               token_policies="oidc-ui-access" \
               ttl="1h"
-        volumeMounts:
-        - name: vault-token
-          mountPath: /vault/secrets
-          readOnly: true
+
+            echo "📜 Writing Vault policy: vault-admin"
+            vault policy write vault-admin - <<EOF
+            path "*" {
+              capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+            }
+EOF
+
+            echo "🎯 Creating OIDC role named 'vault-admins'..."
+            vault write auth/oidc/role/vault-admins \
+              bound_audiences="vault" \
+              allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
+              user_claim="sub" \
+              groups_claim="groups" \
+              bound_claims='{"groups": "vault-admins"}' \
+              oidc_scopes="profile email groups" \
+              policies="vault-admin" \
+              ttl="1h"
+
+            echo "✅ All OIDC setup completed."
+          volumeMounts:
+            - name: vault-token
+              mountPath: /vault/secrets
+              readOnly: true
       volumes:
-      - name: vault-token
-        secret:
-          secretName: vault-init
+        - name: vault-token
+          secret:
+            secretName: vault-init