diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf
index 74b2622..35b38b1 100644
--- a/auth_kubernetes_roles.tf
+++ b/auth_kubernetes_roles.tf
@@ -61,13 +61,20 @@ resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
 }
 
 resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "ceph-csi"
-  bound_service_account_names      = ["ceph-csi-rbd-csi-rbdplugin-provisioner"]
-  bound_service_account_namespaces = ["ceph-csi"]
-  token_ttl                        = 60
+  backend   = vault_auth_backend.kubernetes.path
+  role_name = "ceph-csi"
+  bound_service_account_names = [
+    "ceph-csi-rbd-csi-rbd-provisioner",
+    "ceph-csi-cephfs-csi-cephfs-provisioner",
+  ]
+  bound_service_account_namespaces = [
+    "csi-cephrbd",
+    "csi-cephfs",
+  ]
+  token_ttl = 60
   token_policies = [
     "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
+    "kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
   ]
   audience = "vault"
 }