diff --git a/ops/vault/reissue-secret-id.sh b/ops/vault/reissue-secret-id.sh
new file mode 100755
index 0000000000..6ba9ff76bf
--- /dev/null
+++ b/ops/vault/reissue-secret-id.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p vault -p jq -i bash
+
+set -euo pipefail
+
+readonly server_name=${1}
+
+export VAULT_ADDR=https://vault.int.lukegb.com/
+
+echo Checking login credentials... >&2
+vault token lookup >/dev/null || vault login -method=oidc role=admin >&2
+
+echo Creating new secret... >&2
+vault write -f -format=json auth/approle/role/${server_name}/secret-id | jq -r '.data.secret_id'