diff --git a/internal/keystore/vault/client.go b/internal/keystore/vault/client.go
index f7ee6f4a..f34aee52 100644
--- a/internal/keystore/vault/client.go
+++ b/internal/keystore/vault/client.go
@@ -7,7 +7,9 @@ package vault
 import (
 	"context"
 	"errors"
+	"os"
 	"path"
+	"strings"
 	"sync/atomic"
 	"time"
 
@@ -104,9 +106,18 @@ func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
 			client = client.WithNamespace(login.Namespace)
 		}
 
+		jwt := login.JWT
+		if strings.ContainsRune(jwt, '/') || strings.ContainsRune(jwt, os.PathSeparator) {
+			jwtBytes, err := os.ReadFile(jwt)
+			if err != nil {
+				return nil, err
+			}
+			jwt = string(jwtBytes)
+		}
+
 		secret, err := client.Logical().WriteWithContext(ctx, path.Join("auth", login.Engine, "login"), map[string]interface{}{
 			"role": login.Role,
-			"jwt":  login.JWT,
+			"jwt":  jwt,
 		})
 		if secret == nil && err == nil {
 			// The Vault SDK eventually returns no error but also no
diff --git a/kesconf/config.go b/kesconf/config.go
index d9940f43..67860da2 100644
--- a/kesconf/config.go
+++ b/kesconf/config.go
@@ -447,11 +447,11 @@ func ymlToKeyStore(y *ymlFile) (KeyStore, error) {
 			// We always check for '/' and the OS-specific one make cover cases where
 			// a path is specified using '/' but the underlying OS is e.g. windows.
 			if jwt := y.KeyStore.Vault.Kubernetes.JWT.Value; strings.ContainsRune(jwt, '/') || strings.ContainsRune(jwt, os.PathSeparator) {
-				b, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value)
+				_, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value)
 				if err != nil {
 					return nil, fmt.Errorf("kesconf: failed to read vault kubernetes JWT from '%s': %v", y.KeyStore.Vault.Kubernetes.JWT.Value, err)
 				}
-				y.KeyStore.Vault.Kubernetes.JWT.Value = string(b)
+				// postpone resolving the JWT until actually logging in
 			}
 		}
 		if y.KeyStore.Vault.Transit != nil {