diff --git a/cloud-init/k3s/cloud_init.cfg b/cloud-init/k3s/cloud_init.cfg
index c30206c..cc3f84a 100644
--- a/cloud-init/k3s/cloud_init.cfg
+++ b/cloud-init/k3s/cloud_init.cfg
@@ -21,6 +21,20 @@ write_files:
         - oidc-client-id=headlamp
         - oidc-username-claim=email
         - oidc-groups-claim=groups
+  # Kubernetes ServiceAccount issuer for projected pod tokens. This is separate
+  # from the Dex OIDC config above, which validates human/user login tokens.
+  # AWS STS will use the public static discovery/JWKS documents served by www
+  # at https://makeitwork.cloud/oidc to validate sops-secrets-operator tokens.
+  - path: /etc/rancher/k3s/config.yaml.d/service-account-issuer.yaml
+    permissions: '0600'
+    content: |
+      kube-apiserver-arg:
+        # First issuer signs new ServiceAccount tokens.
+        - service-account-issuer=https://makeitwork.cloud/oidc
+        # Keep the k3s default issuer accepted during transition.
+        - service-account-issuer=https://kubernetes.default.svc.cluster.local
+        - service-account-jwks-uri=https://makeitwork.cloud/oidc/openid/v1/jwks
+        - api-audiences=https://makeitwork.cloud/oidc,https://kubernetes.default.svc.cluster.local
 
 groups:
   - default