diff --git a/config/auth_approle_role/approle/certmanager.yaml b/config/auth_approle_role/approle/certmanager.yaml
index 0e7ec68..43692bf 100644
--- a/config/auth_approle_role/approle/certmanager.yaml
+++ b/config/auth_approle_role/approle/certmanager.yaml
@@ -1,5 +1,3 @@
-token_policies:
-  - "pki_int/certmanager"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/incus_cluster.yaml b/config/auth_approle_role/approle/incus_cluster.yaml
index 57f1ae5..0f1ed65 100644
--- a/config/auth_approle_role/approle/incus_cluster.yaml
+++ b/config/auth_approle_role/approle/incus_cluster.yaml
@@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/incus/incus-cluster-join-tokens"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/packer_builder.yaml b/config/auth_approle_role/approle/packer_builder.yaml
index b75cceb..adfbe67 100644
--- a/config/auth_approle_role/approle/packer_builder.yaml
+++ b/config/auth_approle_role/approle/packer_builder.yaml
@@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/packer/packer_builder"
 token_ttl: 300
 token_max_ttl: 600
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/puppetapi.yaml b/config/auth_approle_role/approle/puppetapi.yaml
index d58dfe6..43692bf 100644
--- a/config/auth_approle_role/approle/puppetapi.yaml
+++ b/config/auth_approle_role/approle/puppetapi.yaml
@@ -1,5 +1,3 @@
-token_policies:
-  - "kv/service/puppetapi/puppetapi_read_tokens"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/rpmbuilder.yaml b/config/auth_approle_role/approle/rpmbuilder.yaml
index 9a6b498..1f8f234 100644
--- a/config/auth_approle_role/approle/rpmbuilder.yaml
+++ b/config/auth_approle_role/approle/rpmbuilder.yaml
@@ -1,6 +1,3 @@
-token_policies:
-  - "kv/service/github/neoloc/tokens/read-only-token/read"
-  - "kv/service/gitea/unkinben/tokens/read-only-packages/read"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/rundeck-role.yaml b/config/auth_approle_role/approle/rundeck-role.yaml
index 76fd259..4dafb26 100644
--- a/config/auth_approle_role/approle/rundeck-role.yaml
+++ b/config/auth_approle_role/approle/rundeck-role.yaml
@@ -1,5 +1,3 @@
-token_policies:
-  - "rundeck/rundeck"
 token_ttl: 3600
 token_max_ttl: 14400
 bind_secret_id: true
diff --git a/config/auth_approle_role/approle/sshsigner.yaml b/config/auth_approle_role/approle/sshsigner.yaml
index 4fa774d..43692bf 100644
--- a/config/auth_approle_role/approle/sshsigner.yaml
+++ b/config/auth_approle_role/approle/sshsigner.yaml
@@ -1,6 +1,3 @@
-token_policies:
-  - "ssh-host-signer/sshsigner"
-  - "sshca_signhost"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/terraform_incus.yaml b/config/auth_approle_role/approle/terraform_incus.yaml
index fdd409b..7cbed93 100644
--- a/config/auth_approle_role/approle/terraform_incus.yaml
+++ b/config/auth_approle_role/approle/terraform_incus.yaml
@@ -1,7 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/terraform/incus"
-  - "kv/service/puppet/certificates/terraform_puppet_cert"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/terraform_nomad.yaml b/config/auth_approle_role/approle/terraform_nomad.yaml
index ff85b2b..7cbed93 100644
--- a/config/auth_approle_role/approle/terraform_nomad.yaml
+++ b/config/auth_approle_role/approle/terraform_nomad.yaml
@@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/terraform/nomad"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/terraform_repoflow.yaml b/config/auth_approle_role/approle/terraform_repoflow.yaml
index 4d4d7bc..7cbed93 100644
--- a/config/auth_approle_role/approle/terraform_repoflow.yaml
+++ b/config/auth_approle_role/approle/terraform_repoflow.yaml
@@ -1,7 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/repoflow/unkinadmin/tokens/terraform/read"
-  - "kv/service/terraform/repoflow"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
diff --git a/config/auth_approle_role/approle/tf_vault.yaml b/config/auth_approle_role/approle/tf_vault.yaml
index cf5b647..0c403de 100644
--- a/config/auth_approle_role/approle/tf_vault.yaml
+++ b/config/auth_approle_role/approle/tf_vault.yaml
@@ -1,27 +1,3 @@
-token_policies:
-  - "default_access"
-  - "approle_token_create"
-  - "auth/approle/approle_role_admin"
-  - "auth/approle/approle_role_login"
-  - "auth/kubernetes/k8s_auth_admin"
-  - "auth/ldap/ldap_admin"
-  - "auth/token/auth_token_create"
-  - "auth/token/auth_token_self"
-  - "auth/token/auth_token_roles_admin"
-  - "kubernetes/au/config_admin"
-  - "kubernetes/au/roles_admin"
-  - "kv/service/glauth/services/svc_vault_read"
-  - "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"
-  - "kv/service/kubernetes/au/syd1/service_account_jwt/read"
-  - "kv/service/vault/auth_backends_read"
-  - "pki_int/pki_int_roles_admin"
-  - "pki_root/pki_root_roles_admin"
-  - "ssh-host-signer/ssh-host-signer_roles_admin"
-  - "sshca/sshca_roles_admin"
-  - "sys/sys_auth_admin"
-  - "sys/sys_mounts_admin"
-  - "sys/sys_policy_admin"
-  - "transit/keys/admin"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
index f9dcb51..31767b9 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
@@ -5,7 +5,4 @@ bound_service_account_namespaces:
   - csi-cephrbd
   - csi-cephfs
 token_ttl: 60
-token_policies:
-  - kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read
-  - kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
index 0911d28..f9e136a 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
@@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - cert-manager
 token_ttl: 60
-token_policies:
-  - pki_int/sign/servers_default
-  - pki_int/issue/servers_default
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
index 4f1d4c3..fc7b521 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
@@ -3,6 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - externaldns
 token_ttl: 60
-token_policies:
-  - kv/service/kubernetes/au/syd1/externaldns/tsig/read
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
index 69bbfa0..552f488 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
@@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - huntarr
 token_ttl: 60
-token_policies:
-  - pki_int/sign/servers_default
-  - pki_int/issue/servers_default
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
index 4fa0429..5d51fb0 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
@@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - media-apps
 token_ttl: 60
-token_policies:
-  - kv/service/media-apps/radarr/read
-  - kv/service/media-apps/sonarr/read
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
index 4d184b6..a819345 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
@@ -3,10 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - repoflow
 token_ttl: 60
-token_policies:
-  - kv/service/repoflow/au/syd1/ceph-s3/read
-  - kv/service/repoflow/au/syd1/elasticsearch/read
-  - kv/service/repoflow/au/syd1/hasura/read
-  - kv/service/repoflow/au/syd1/postgres/read
-  - kv/service/repoflow/au/syd1/repoflow-server/read
 audience: vault
diff --git a/config/auth_ldap_group/ldap/vault_access.yaml b/config/auth_ldap_group/ldap/vault_access.yaml
deleted file mode 100644
index e430d1a..0000000
--- a/config/auth_ldap_group/ldap/vault_access.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-policies:
-  - "default_access"
diff --git a/config/auth_ldap_group/ldap/vault_admin.yaml b/config/auth_ldap_group/ldap/vault_admin.yaml
index cd28bf2..9c43d98 100644
--- a/config/auth_ldap_group/ldap/vault_admin.yaml
+++ b/config/auth_ldap_group/ldap/vault_admin.yaml
@@ -1,3 +1,3 @@
-policies:
-  - "default_access"
-  - "global-admin"
+---
+# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
+description: foo
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml
index 0144c62..b758647 100644
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml
@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "*"
 kubernetes_role_type: "ClusterRole"
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml
index 0144c62..b758647 100644
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml
@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "*"
 kubernetes_role_type: "ClusterRole"
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml
index 0144c62..b758647 100644
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml
@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "*"
 kubernetes_role_type: "ClusterRole"
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml
index e4b7130..db746a1 100644
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml
@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "media-apps"
 kubernetes_role_type: "Role"
diff --git a/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml b/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml
index b742321..5071ad6 100644
--- a/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml
+++ b/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml
@@ -1,4 +1,3 @@
-backend: "pki/au/syd1"
 allow_ip_sans: true
 allowed_domains:
   - "unkin.net"
diff --git a/config/pki_secret_backend_role/pki_int/servers_default.yaml b/config/pki_secret_backend_role/pki_int/servers_default.yaml
index e4f9ff0..5071ad6 100644
--- a/config/pki_secret_backend_role/pki_int/servers_default.yaml
+++ b/config/pki_secret_backend_role/pki_int/servers_default.yaml
@@ -1,4 +1,3 @@
-backend: "pki_int"
 allow_ip_sans: true
 allowed_domains:
   - "unkin.net"
diff --git a/config/pki_secret_backend_role/pki_root/2024-servers.yaml b/config/pki_secret_backend_role/pki_root/2024-servers.yaml
index acdb7f1..c4b3bff 100644
--- a/config/pki_secret_backend_role/pki_root/2024-servers.yaml
+++ b/config/pki_secret_backend_role/pki_root/2024-servers.yaml
@@ -1,4 +1,3 @@
-backend: "pki_root"
 allow_ip_sans: true
 allowed_domains:
   - "unkin.net"
diff --git a/modules/vault_cluster/main.tf b/modules/vault_cluster/main.tf
index 59f0692..a08f636 100644
--- a/modules/vault_cluster/main.tf
+++ b/modules/vault_cluster/main.tf
@@ -61,7 +61,7 @@ module "auth_ldap_group" {
 
   groupname = each.value.groupname
   backend   = each.value.backend
-  policies  = each.value.policies
+  policies  = var.policy_auth_map[each.value.backend][each.value.groupname]
 
   depends_on = [module.auth_ldap_backend]
 }
diff --git a/modules/vault_cluster/variables.tf b/modules/vault_cluster/variables.tf
index bb0942e..759876e 100644
--- a/modules/vault_cluster/variables.tf
+++ b/modules/vault_cluster/variables.tf
@@ -58,7 +58,6 @@ variable "auth_ldap_group" {
   type = map(object({
     groupname = string
     backend   = string
-    policies  = list(string)
   }))
   default = {}
 }
@@ -287,4 +286,4 @@ variable "policy_rules_map" {
     capabilities = list(string)
   })))
   default = {}
-}
\ No newline at end of file
+}