diff --git a/manifests/vault/oidc-job.yaml b/manifests/vault/oidc-job.yaml
index 5ebf844..fe9ac7b 100644
--- a/manifests/vault/oidc-job.yaml
+++ b/manifests/vault/oidc-job.yaml
@@ -29,7 +29,7 @@ spec:
               fi
 
               echo "🔐 Enabling OIDC auth method..."
-              vault auth enable oidc || true
+              vault auth enable oidc || true  # ok if already enabled
 
               echo "🔧 Configuring OIDC connection to Keycloak..."
               vault write auth/oidc/config \
@@ -56,17 +56,22 @@ spec:
               vault policy write vault-admin /tmp/vault-admin.hcl
 
               echo "🎯 Creating OIDC role named 'vault-admins'..."
+              cat >/tmp/bound_claims.json <<'JSON'
+              {"groups": ["vault-admins"]}
+              JSON
+
               vault write auth/oidc/role/vault-admins \
                 bound_audiences="vault" \
                 allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
                 user_claim="sub" \
                 groups_claim="groups" \
-                bound_claims='{"groups": "vault-admins"}' \
+                bound_claims=@/tmp/bound_claims.json \
                 oidc_scopes="profile email groups" \
                 policies="vault-admin" \
                 ttl="1h"
 
               echo "✅ All OIDC setup completed successfully."
+
           volumeMounts:
             - name: vault-token
               mountPath: /vault/secrets