diff --git a/modules/gcp/iam/main.tf b/modules/gcp/iam/main.tf
index 7f3c4a1..2919a41 100644
--- a/modules/gcp/iam/main.tf
+++ b/modules/gcp/iam/main.tf
@@ -79,6 +79,23 @@ resource "google_service_account_iam_binding" "vault_workload_identity_binding"
   depends_on = [google_service_account.vault_sa]
 }
 
+resource "google_project_iam_custom_role" "vault_service_account_role" {
+  role_id   = "VaultServiceAccountRole"
+  project   = var.project_id
+  title     = "Vault Service Account Role"
+  description = "Role for Vault to authenticate using GCP service accounts"
+  permissions = [
+    "iam.serviceAccounts.get",
+    "iam.serviceAccountKeys.get"
+  ]
+}
+
+resource "google_project_iam_member" "vault_service_account_role_binding" {
+  project = var.project_id
+  role    = "projects/${var.project_id}/roles/VaultServiceAccountRole"
+  member  = "serviceAccount:${google_service_account.vault_sa.email}"
+}
+
 # ƒor loki
 resource "google_service_account" "loki_gcs_sa" {
   project = var.project_id
@@ -179,3 +196,12 @@ resource "google_service_account_iam_binding" "workload_identity_binding" {
     "serviceAccount:${var.project_id}.svc.id.goog[atlantis/atlantis]"
   ]
 }
+
+resource "google_service_account_iam_binding" "service_account_token_creator" {
+  service_account_id = google_service_account.atlantis.name
+  role               = "roles/iam.serviceAccountTokenCreator"
+  members            = [
+    "serviceAccount:${google_service_account.atlantis.email}",
+    "user:jipark7937@gmail.com"
+  ]
+}
diff --git a/projects/k8s/vault/configs/provider.tf b/projects/k8s/vault/configs/provider.tf
index 3e0cbaf..4b16b97 100644
--- a/projects/k8s/vault/configs/provider.tf
+++ b/projects/k8s/vault/configs/provider.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.84.0"
+      version = "6.23.0"
     }
     vault = {
       source  = "hashicorp/vault"
@@ -44,8 +44,6 @@ data "kubernetes_secret" "vault_sa_token" {
 
 locals {
   token_reviewer_jwt = data.kubernetes_secret.vault_sa_token.data["token"]
-  role_id = data.google_secret_manager_secret_version.vault_role_id.secret_data
-  secret_id = data.google_secret_manager_secret_version.vault_secret_id.secret_data
 }
 
 provider "google" {
@@ -53,21 +51,25 @@ provider "google" {
   region = var.region
 }
 
-data "google_secret_manager_secret_version" "vault_role_id" {
-  secret = "vault_role_id"
-}
+ephemeral "google_service_account_jwt" "vault_jwt" {
+  target_service_account = "atlantis@${var.project_id}.iam.gserviceaccount.com"
+
+  payload = jsonencode({
+    sub: "atlantis@${var.project_id}.iam.gserviceaccount.com",
+    aud: "vault/terraform",
+  })
 
-data "google_secret_manager_secret_version" "vault_secret_id" {
-  secret = "vault_secret_id"
+  expires_in = 1800
 }
 
 provider "vault" {
   address = "https://vault.goboolean.io"
+  
   auth_login {
-    path = "auth/approle/login"
+    path = "auth/gcp/login"
     parameters = {
-      role_id   = local.role_id
-      secret_id = local.secret_id
+      jwt  = ephemeral.google_service_account_jwt.vault_jwt.jwt
+      role = "terraform"
     }
   }
 }
diff --git a/projects/k8s/vault/configs/terraform.tfvars b/projects/k8s/vault/configs/terraform.tfvars
new file mode 100644
index 0000000..c7bc083
--- /dev/null
+++ b/projects/k8s/vault/configs/terraform.tfvars
@@ -0,0 +1,3 @@
+# Google Cloud Platform
+project_id = "goboolean-452007"
+region     = "asia-northeast3"