diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index a31da24..8f02c99 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -52,3 +52,31 @@
 
 # remove expired certificates
     vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+
+# enable approles
+    vault auth enable approle
+
+# create certmanager policy and token, limit to puppetmaster
+    cat <<EOF > certmanager.hcl
+    path "pki_int/issue/*" {
+      capabilities = ["create", "update", "read"]
+    }
+    path "pki_int/renew/*" {
+      capabilities = ["update"]
+    }
+    path "pki_int/cert/*" {
+      capabilities = ["read"]
+    }
+    EOF
+
+    vault policy write certmanager certmanager.hcl
+
+    vault write auth/approle/role/certmanager \
+        bind_secret_id=false \
+        token_policies="certmanager" \
+        token_ttl=30s \
+        token_max_ttl=30s \
+        token_bound_cidrs="198.18.17.3/32"
+
+# get the certmanager approle id
+    vault read -field=role_id auth/approle/role/certmanager/role-id