diff --git a/admin_approle.tf b/admin_approle.tf
index 6ec53e7..c12c7b0 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : templatefile(var.tenant_admin_policy_file, { tenant_prefix = var.tenant_prefix })
+  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix, admin_policies = vault_approle_auth_backend_role.tenant_admin.token_policies }) : file(var.tenant_admin_policy_file)
 }
diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index d318d9f..4452113 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -5,3 +5,10 @@ path "${tenant_prefix}/*" {
 path "sys/mounts/${tenant_prefix}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
+
+path "auth/token/create" {
+  capabilities = ["create", "update", "delete"]
+  allowed_parameters = {
+    "policies" = [${admin_policies}, ${reverse(admin_policies)}]
+  }
+}