diff --git a/README.md b/README.md
index 98ff8ad..c361510 100644
--- a/README.md
+++ b/README.md
@@ -108,7 +108,9 @@ REQUIRED
 
 #### `vault_token`
 
-Vault token for authenticating to vault.  This should have appropriate permissions applied in vault.  A demo script is provided 
+Vault token for authenticating to vault.  This should have appropriate
+permissions applied in vault.  A demo script is provided
+[here](vault_policy.sh)
 
 REQUIRED
 
diff --git a/vault_policy.sh b/vault_policy.sh
new file mode 100644
index 0000000..035d7bc
--- /dev/null
+++ b/vault_policy.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# this script sets up policies in vault to support reading and writing certs.
+# Comments at the bottom provide examples for how to create tokens using these
+# policies, to be distributed to machines.
+
+cert_read='
+path "secret/letsencrypt/*" {
+  capabilities = ["read"]
+}
+'
+
+cert_write='
+path "secret/letsencrypt/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "secret/dns_api/token" {
+  capabilities = ["read"]
+}
+'
+vault write sys/policy/cert_read policy=@<(echo $cert_read)
+vault write sys/policy/cert_write policy=@<(echo $cert_write)
+
+# create periodic tokens:
+# these tokens have a period of 20 days, they will expire if not renewed.
+
+# vault token create -policy=cert_write -period=1728000 -metadata="host=testbox"
+# vault token create -policy=cert_read -period=1728000 -metadata="host=testbox"
+
+# secret for dns api
+# vault write secret/dns_api/token value=$(cat)