diff --git a/roles/devserver/userland-software/dev.sls b/roles/devserver/userland-software/dev.sls
--- a/roles/devserver/userland-software/dev.sls
+++ b/roles/devserver/userland-software/dev.sls
@@ -221,6 +221,15 @@
     - pkgs:
       - git-review
 
+#   -------------------------------------------------------------
+#   Nasqueron development and operations
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.bin }}/create-vault-approle:
+  file.managed:
+    - source: salt://roles/devserver/userland-software/files/create-vault-approle.py
+    - mode: 755
+
 #   -------------------------------------------------------------
 #   MediaWiki development
 #
diff --git a/roles/devserver/userland-software/files/create-vault-approle.sh b/roles/devserver/userland-software/files/create-vault-approle.sh
new file mode 100755
--- /dev/null
+++ b/roles/devserver/userland-software/files/create-vault-approle.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+VAULT_POLICY=$1
+
+vault write "auth/approle/role/$VAULT_POLICY" token_policies="$VAULT_POLICY" \
+    token_ttl=1h token_max_ttl=4h
+
+vault read "auth/approle/role/$VAULT_POLICY/role-id"
+vault write -force "auth/approle/role/$VAULT_POLICY/secret-id"