diff --git a/plugins/secrets/vault/kubernetes.go b/plugins/secrets/vault/kubernetes.go
index be5d8ed04..f289a8aff 100644
--- a/plugins/secrets/vault/kubernetes.go
+++ b/plugins/secrets/vault/kubernetes.go
@@ -16,22 +16,22 @@ Vault JSON Response
   }
 }
 */
-type VaultAuth struct {
+type vaultAuth struct {
 	Token string `json:"client_token"`
 	Lease string `json:"lease_duration"`
 }
-type VaultResp struct {
-	Auth VaultAuth
+type vaultResp struct {
+	Auth vaultAuth
 }
 
-func getKubernetesToken(addr, role, mountPoint, tokenFile string) (string, time.Duration, error) {
+func getKubernetesToken(addr, role, mount, tokenFile string) (string, time.Duration, error) {
 	b, err := ioutil.ReadFile(tokenFile)
 	if err != nil {
 		return "", 0, err
 	}
 
-	var resp VaultResp
-	path := fmt.Sprintf("%s/v1/auth/%s/login", addr, mountPoint)
+	var resp vaultResp
+	path := fmt.Sprintf("%s/v1/auth/%s/login", addr, mount)
 	data := map[string]string{
 		"jwt":  string(b),
 		"role": role,
diff --git a/plugins/secrets/vault/opts.go b/plugins/secrets/vault/opts.go
index 037071ea8..081857854 100644
--- a/plugins/secrets/vault/opts.go
+++ b/plugins/secrets/vault/opts.go
@@ -4,11 +4,7 @@
 
 package vault
 
-import (
-	"github.com/Sirupsen/logrus"
-	"os"
-	"time"
-)
+import "time"
 
 // Opts sets custom options for the vault client.
 type Opts func(v *vault)
@@ -29,20 +25,13 @@ func WithRenewal(d time.Duration) Opts {
 	}
 }
 
-func WithKubernetesAuth() Opts {
+// WithKubernetes returns an options that sets
+// kubernetes-auth parameters required to retrieve
+// an initial Vault token
+func WithKubernetesAuth(addr, role, mount string) Opts {
 	return func(v *vault) {
-		addr := os.Getenv("VAULT_ADDR")
-		role := os.Getenv("DRONE_VAULT_KUBERNETES_ROLE")
-		mount := os.Getenv("DRONE_VAULT_AUTH_MOUNT_POINT")
-		jwtFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"
-		token, ttl, err := getKubernetesToken(addr, role, mount, jwtFile)
-		if err != nil {
-			logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
-			return
-		}
-
-		v.client.SetToken(token)
-		v.ttl = ttl
-		v.renew = ttl / 2
+		v.kubeAuth.addr = addr
+		v.kubeAuth.role = role
+		v.kubeAuth.mount = mount
 	}
 }
diff --git a/plugins/secrets/vault/opts_test.go b/plugins/secrets/vault/opts_test.go
index 217a98892..79f01160f 100644
--- a/plugins/secrets/vault/opts_test.go
+++ b/plugins/secrets/vault/opts_test.go
@@ -26,3 +26,21 @@ func TestWithRenewal(t *testing.T) {
 		t.Errorf("Want renewal %v, got %v", want, got)
 	}
 }
+
+func TestWithKubernetesAuth(t *testing.T) {
+	v := new(vault)
+	addr := "https://address.fake"
+	role := "fakeRole"
+	mount := "kubernetes"
+	opt := WithKubernetesAuth(addr, role, mount)
+	opt(v)
+	if got, want := v.kubeAuth.addr, addr; got != want {
+		t.Errorf("Want addr %v, got %v", want, got)
+	}
+	if got, want := v.kubeAuth.role, role; got != want {
+		t.Errorf("Want role %v, got %v", want, got)
+	}
+	if got, want := v.kubeAuth.mount, mount; got != want {
+		t.Errorf("Want mount %v, got %v", want, got)
+	}
+}
diff --git a/plugins/secrets/vault/vault.go b/plugins/secrets/vault/vault.go
index 2ec801158..ebad6859b 100644
--- a/plugins/secrets/vault/vault.go
+++ b/plugins/secrets/vault/vault.go
@@ -41,11 +41,17 @@ type vaultConfig struct {
 }
 
 type vault struct {
-	store  model.ConfigStore
-	client *api.Client
-	ttl    time.Duration
-	renew  time.Duration
-	done   chan struct{}
+	store    model.ConfigStore
+	client   *api.Client
+	ttl      time.Duration
+	renew    time.Duration
+	auth     string
+	kubeAuth kubeAuth
+	done     chan struct{}
+}
+
+type kubeAuth struct {
+	addr, role, mount string
 }
 
 // New returns a new store with secrets loaded from vault.
@@ -61,10 +67,34 @@ func New(store model.ConfigStore, opts ...Opts) (secrets.Plugin, error) {
 	for _, opt := range opts {
 		opt(v)
 	}
+	if v.auth == "kubernetes" {
+		err = v.initKubernetes()
+		if err != nil {
+			return nil, err
+		}
+	}
 	v.start() // start the refresh process.
 	return v, nil
 }
 
+func (v *vault) initKubernetes() error {
+	token, ttl, err := getKubernetesToken(
+		v.kubeAuth.addr,
+		v.kubeAuth.role,
+		v.kubeAuth.mount,
+		"/var/run/secrets/kubernetes.io/serviceaccount/token",
+	)
+	if err != nil {
+		logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
+		return err
+	}
+
+	v.client.SetToken(token)
+	v.ttl = ttl
+	v.renew = ttl / 2
+	return nil
+}
+
 func (v *vault) SecretListBuild(repo *model.Repo, build *model.Build) ([]*model.Secret, error) {
 	return v.list(repo, build)
 }