diff --git a/cas/vaultcas/vaultcas.go b/cas/vaultcas/vaultcas.go
index c29ef691..8a09a850 100644
--- a/cas/vaultcas/vaultcas.go
+++ b/cas/vaultcas/vaultcas.go
@@ -18,6 +18,7 @@ import (
 
 	vault "github.com/hashicorp/vault/api"
 	auth "github.com/hashicorp/vault/api/auth/approle"
+	kubeauth "github.com/hashicorp/vault/api/auth/kubernetes"
 )
 
 func init() {
@@ -34,6 +35,7 @@ type VaultOptions struct {
 	PKIRoleRSA      string        `json:"pkiRoleRSA,omitempty"`
 	PKIRoleEC       string        `json:"pkiRoleEC,omitempty"`
 	PKIRoleEd25519  string        `json:"pkiRoleEd25519,omitempty"`
+	KubernetesRole  string        `json:"kubernetesRole,omitempty"`
 	RoleID          string        `json:"roleID,omitempty"`
 	SecretID        auth.SecretID `json:"secretID,omitempty"`
 	AppRole         string        `json:"appRole,omitempty"`
@@ -77,31 +79,49 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
 		return nil, fmt.Errorf("unable to initialize vault client: %w", err)
 	}
 
-	var appRoleAuth *auth.AppRoleAuth
-	if vc.IsWrappingToken {
-		appRoleAuth, err = auth.NewAppRoleAuth(
-			vc.RoleID,
-			&vc.SecretID,
-			auth.WithWrappingToken(),
-			auth.WithMountPath(vc.AppRole),
+	if vc.KubernetesRole != "" {
+		var kubernetesAuth *kubeauth.KubernetesAuth
+		kubernetesAuth, err = kubeauth.NewKubernetesAuth(
+			vc.KubernetesRole,
 		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
+		}
+
+		authInfo, err := client.Auth().Login(ctx, kubernetesAuth)
+		if err != nil {
+			return nil, fmt.Errorf("unable to login to Kubernetes auth method: %w", err)
+		}
+		if authInfo == nil {
+			return nil, errors.New("no auth info was returned after login")
+		}
 	} else {
-		appRoleAuth, err = auth.NewAppRoleAuth(
-			vc.RoleID,
-			&vc.SecretID,
-			auth.WithMountPath(vc.AppRole),
-		)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
-	}
+		var appRoleAuth *auth.AppRoleAuth
+		if vc.IsWrappingToken {
+			appRoleAuth, err = auth.NewAppRoleAuth(
+				vc.RoleID,
+				&vc.SecretID,
+				auth.WithWrappingToken(),
+				auth.WithMountPath(vc.AppRole),
+			)
+		} else {
+			appRoleAuth, err = auth.NewAppRoleAuth(
+				vc.RoleID,
+				&vc.SecretID,
+				auth.WithMountPath(vc.AppRole),
+			)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
+		}
 
-	authInfo, err := client.Auth().Login(ctx, appRoleAuth)
-	if err != nil {
-		return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
-	}
-	if authInfo == nil {
-		return nil, errors.New("no auth info was returned after login")
+		authInfo, err := client.Auth().Login(ctx, appRoleAuth)
+		if err != nil {
+			return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
+		}
+		if authInfo == nil {
+			return nil, errors.New("no auth info was returned after login")
+		}
 	}
 
 	return &VaultCAS{
@@ -272,11 +292,11 @@ func loadOptions(config json.RawMessage) (*VaultOptions, error) {
 		vc.PKIRoleEd25519 = vc.PKIRoleDefault
 	}
 
-	if vc.RoleID == "" {
-		return nil, errors.New("vaultCAS config options must define `roleID`")
+	if vc.RoleID == "" && vc.KubernetesRole == "" {
+		return nil, errors.New("vaultCAS config options must define `roleID` or `kubernetesRole`")
 	}
 
-	if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" {
+	if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" && vc.RoleID != "" {
 		return nil, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
 	}
 
diff --git a/go.mod b/go.mod
index 8b66f470..0b772018 100644
--- a/go.mod
+++ b/go.mod
@@ -29,6 +29,7 @@ require (
 	github.com/googleapis/gax-go/v2 v2.1.1
 	github.com/hashicorp/vault/api v1.3.1
 	github.com/hashicorp/vault/api/auth/approle v0.1.1
+	github.com/hashicorp/vault/api/auth/kubernetes v0.1.0
 	github.com/jhump/protoreflect v1.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.13 // indirect
diff --git a/go.sum b/go.sum
index 4780111e..d76648c2 100644
--- a/go.sum
+++ b/go.sum
@@ -449,6 +449,8 @@ github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO
 github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
 github.com/hashicorp/vault/api/auth/approle v0.1.1 h1:R5yA+xcNvw1ix6bDuWOaLOq2L4L77zDCVsethNw97xQ=
 github.com/hashicorp/vault/api/auth/approle v0.1.1/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag=
+github.com/hashicorp/vault/api/auth/kubernetes v0.1.0 h1:6BtyahbF4aQp8gg3ww0A/oIoqzbhpNP1spXU3nHE0n0=
+github.com/hashicorp/vault/api/auth/kubernetes v0.1.0/go.mod h1:Pdgk78uIs0mgDOLvc3a+h/vYIT9rznw2sz+ucuH9024=
 github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY=
 github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=