Apply policies to service accounts across multiple K8s clusters

I’m trying to use Kubernetes auth with Vault and I’m having some trouble figuring out how to configure my policies. In short, I have an app that runs in multiple clusters and I want to allow all instances of that app to read from a path in Vault.

I’m trying to use the Vault CSI driver, which means my only option is Kubernetes auth. Each app in Kubernetes runs with a service account, and each service account (fully qualified to cluster + namespace + service account) must be associated with a Vault policy to grant it access to data within Vault. Since I have apps that run in multiple clusters, though, I don’t really want the access grants to be so granular. I really want to grant access to a namespace + service account combination, regardless of the cluster it lives in… or something along those lines.

I think it might be possible to use the identity group feature to collect all of my service accounts into a single group and use that to apply the policies to that group. The problem is that group members have to be updated explicitly, so we’d have to make manual updates every time we bring a cluster online. I’d like to avoid that if possible.

Can anyone recommend a solution that would apply the same set of policies to matching service accounts across multiple clusters?