diff --git a/internal/keystore/vault/client.go b/internal/keystore/vault/client.go
index dbdea62d..8472f1cb 100644
--- a/internal/keystore/vault/client.go
+++ b/internal/keystore/vault/client.go
@@ -70,7 +70,7 @@ func (c *client) CheckStatus(ctx context.Context, delay time.Duration) {
 //
 // To renew the auth. token see: client.RenewToken(...).
 func (c *client) AuthenticateWithAppRole(login *AppRole) authFunc {
-	return func() (*vaultapi.Secret, error) {
+	return func(ctx context.Context) (*vaultapi.Secret, error) {
 		client := c.Client
 		switch {
 		case login.Namespace == "/": // Treat '/' as the root namespace
@@ -79,7 +79,7 @@ func (c *client) AuthenticateWithAppRole(login *AppRole) authFunc {
 			client = client.WithNamespace(login.Namespace)
 		}
 
-		secret, err := client.Logical().Write(path.Join("auth", login.Engine, "login"), map[string]interface{}{
+		secret, err := client.Logical().WriteWithContext(ctx, path.Join("auth", login.Engine, "login"), map[string]interface{}{
 			"role_id":   login.ID,
 			"secret_id": login.Secret,
 		})
@@ -95,7 +95,7 @@ func (c *client) AuthenticateWithAppRole(login *AppRole) authFunc {
 }
 
 func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
-	return func() (*vaultapi.Secret, error) {
+	return func(ctx context.Context) (*vaultapi.Secret, error) {
 		client := c.Client
 		switch {
 		case login.Namespace == "/": // Treat '/' as the root namespace
@@ -104,7 +104,7 @@ func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
 			client = client.WithNamespace(login.Namespace)
 		}
 
-		secret, err := client.Logical().Write(path.Join("auth", login.Engine, "login"), map[string]interface{}{
+		secret, err := client.Logical().WriteWithContext(ctx, path.Join("auth", login.Engine, "login"), map[string]interface{}{
 			"role": login.Role,
 			"jwt":  login.JWT,
 		})
@@ -124,7 +124,7 @@ func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
 // It returns a secret with a Vault authentication token
 // and its time-to-live (TTL) or an error explaining why
 // the authentication attempt failed.
-type authFunc func() (*vaultapi.Secret, error)
+type authFunc func(context.Context) (*vaultapi.Secret, error)
 
 // RenewToken tries to renew the Vault auth token periodically
 // based on its TTL. If TTL is zero, RenewToken returns early
@@ -168,9 +168,14 @@ func (c *client) RenewToken(ctx context.Context, authenticate authFunc, secret *
 		}
 
 		// We renew the token right before it expires.
-		renewIn := ttl
-		if renewIn > 10*time.Second {
-			renewIn = ttl - 10*time.Second
+		var renewIn time.Duration
+		switch {
+		case ttl > time.Minute:
+			renewIn = ttl - time.Minute
+		case ttl > 30*time.Second:
+			renewIn = ttl - 30*time.Second
+		default:
+			renewIn = time.Second
 		}
 
 		timer := time.NewTimer(renewIn)
@@ -192,10 +197,10 @@ func (c *client) RenewToken(ctx context.Context, authenticate authFunc, secret *
 					}
 				}
 				if secret == nil {
-					secret, _ = authenticate()
+					secret, _ = authenticate(ctx)
 				}
 			} else {
-				secret, _ = authenticate()
+				secret, _ = authenticate(ctx)
 			}
 
 			if secret != nil {
diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go
index 41402e71..2679d931 100644
--- a/internal/keystore/vault/vault.go
+++ b/internal/keystore/vault/vault.go
@@ -131,7 +131,7 @@ func Connect(ctx context.Context, c *Config) (*Store, error) {
 		authenticate = client.AuthenticateWithK8S(c.K8S)
 	}
 
-	auth, err := authenticate()
+	auth, err := authenticate(ctx)
 	if err != nil {
 		return nil, err
 	}