diff --git a/pkg/auth/filter.go b/pkg/auth/filter.go
index d60ed23..472366a 100644
--- a/pkg/auth/filter.go
+++ b/pkg/auth/filter.go
@@ -33,6 +33,8 @@ var ExistingContext = ToMiddleware(AuthenticatorFunc(func(req *http.Request) (us
 	return user, ok, nil
 }))
 
+const CattleAuthFailed = "X-API-Cattle-Auth-Failed"
+
 type Authenticator interface {
 	Authenticate(req *http.Request) (user.Info, bool, error)
 }
@@ -144,6 +146,7 @@ func ToMiddleware(auth Authenticator) Middleware {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 			info, ok, err := auth.Authenticate(req)
+			ctx := req.Context()
 			if err != nil {
 				info = &user.DefaultInfo{
 					Name: "system:cattle:error",
@@ -153,6 +156,7 @@ func ToMiddleware(auth Authenticator) Middleware {
 						"system:cattle:error",
 					},
 				}
+				ctx = request.WithValue(ctx, CattleAuthFailed, "true")
 			} else if !ok {
 				info = &user.DefaultInfo{
 					Name: "system:unauthenticated",
@@ -162,8 +166,8 @@ func ToMiddleware(auth Authenticator) Middleware {
 					},
 				}
 			}
+			ctx = request.WithUser(ctx, info)
 
-			ctx := request.WithUser(req.Context(), info)
 			req = req.WithContext(ctx)
 			next.ServeHTTP(rw, req)
 		})
diff --git a/pkg/podimpersonation/podimpersonation.go b/pkg/podimpersonation/podimpersonation.go
index c346a3b..30e3ced 100644
--- a/pkg/podimpersonation/podimpersonation.go
+++ b/pkg/podimpersonation/podimpersonation.go
@@ -348,7 +348,19 @@ func (s *PodImpersonation) createPod(ctx context.Context, user user.Info, role *
 	if err != nil {
 		return nil, err
 	}
-
+	if _, ok := tokenSecret.Data[v1.ServiceAccountTokenKey]; !ok {
+		for {
+			logrus.Debugf("wait for svc account secret to be populated with token %s", tokenSecret.Name)
+			time.Sleep(2 * time.Second)
+			tokenSecret, err = client.CoreV1().Secrets(sa.Namespace).Get(ctx, sc.Name, metav1.GetOptions{})
+			if err != nil {
+				return nil, err
+			}
+			if _, ok := tokenSecret.Data[v1.ServiceAccountTokenKey]; ok {
+				break
+			}
+		}
+	}
 	pod = s.augmentPod(pod, sa, tokenSecret, podOptions.ImageOverride)
 
 	if err := s.createConfigMaps(ctx, user, role, pod, podOptions, client); err != nil {
@@ -358,7 +370,6 @@ func (s *PodImpersonation) createPod(ctx context.Context, user user.Info, role *
 	if err := s.createSecrets(ctx, role, pod, podOptions, client); err != nil {
 		return nil, err
 	}
-
 	pod.OwnerReferences = ref(role)
 	if pod.Annotations == nil {
 		pod.Annotations = map[string]string{}