diff --git a/Dockerfile b/Dockerfile
index a2173ef..6ccb012 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -35,6 +35,9 @@ RUN curl -fsSL https://github.com/helmfile/vals/releases/download/v${VALS_VERSIO
 
 RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm
 
+# Add init script to convert SA token into kubeconfig for vals
+ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh
+
 USER ${ARGOCD_USER_ID}
 
 RUN helm plugin install --version ${HELM_SECRETS_VERSION} https://github.com/jkroepke/helm-secrets
diff --git a/sa2kubeconfig.sh b/sa2kubeconfig.sh
new file mode 100755
index 0000000..e4090c9
--- /dev/null
+++ b/sa2kubeconfig.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+SA_NAME=argocd-repo-server
+
+CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
+TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
+
+mkdir -p $HOME/.kube
+
+cat > $HOME/.kube/config << EOF
+apiVersion: v1
+kind: Config
+clusters:
+- name: local
+  cluster:
+    server: https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS
+    certificate-authority-data: $CA64
+users:
+- name: $SA_NAME
+  user:
+    token: "$TOKEN"
+contexts:
+- name: ${SA_NAME}_context
+  context:
+    cluster: local
+    user: $SA_NAME
+current-context: ${SA_NAME}_context
+EOF