diff --git a/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl b/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl
new file mode 100644
index 0000000..ea38308
--- /dev/null
+++ b/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl
@@ -0,0 +1,7 @@
+{
+  "path": {
+    "identity/oidc/token/oidc-role": {
+      "policy": "read"
+    }
+  }
+}
diff --git a/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl b/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl
new file mode 100644
index 0000000..de60791
--- /dev/null
+++ b/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl
@@ -0,0 +1,20 @@
+# Consul Managed PKI Mounts
+path "/sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+path "/sys/mounts/connect_root" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/sys/mounts/connect_inter" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_root/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_inter/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb
index fd42d85..2c0e2ce 100644
--- a/cookbooks/vault/setup.rb
+++ b/cookbooks/vault/setup.rb
@@ -12,3 +12,11 @@ directory '/etc/vault.d/policies' do
   group 'vault'
   mode '755'
 end
+
+%w( consul-auto-config consul-connect-vault ).each do |conf|
+  remote_file "/etc/vault.d/policies/#{conf}.hcl" do
+    owner 'vault'
+    group 'vault'
+    mode '644'
+  end
+end