diff --git a/BeyondTrustConnector/Service/BeyondTrustCredentialClient.cs b/BeyondTrustConnector/Service/BeyondTrustCredentialClient.cs
index 2c9ca53..2b00870 100644
--- a/BeyondTrustConnector/Service/BeyondTrustCredentialClient.cs
+++ b/BeyondTrustConnector/Service/BeyondTrustCredentialClient.cs
@@ -10,12 +10,9 @@ internal class BeyondTrustCredentialClient(IHttpClientFactory httpClientFactory,
 {
     public async Task<string> GetAccessToken(string beyondTrustTenantName)
     {
-        var secret = await SecretReader.GetSecretAsync("BeyondTrustApi");
-        var credential = JsonSerializer.Deserialize<BeyondTrustCredential>(secret);
-        if (credential is null)
-        {
-            throw new Exception("Failed to deserialize BeyondTrust credential");
-        }
+        var secretName = Environment.GetEnvironmentVariable("KEYVAULT_SECRET") ?? throw new Exception("KEYVAULT_SECRET environment variable is not set");
+        var secret = await SecretReader.GetSecretAsync(secretName);
+        var credential = JsonSerializer.Deserialize<BeyondTrustCredential>(secret) ?? throw new Exception("Failed to deserialize BeyondTrust credential");
         var client = httpClientFactory.CreateClient();
         var basicAuth = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{credential.ClientId}:{credential.ClientSecret}"));
         client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", basicAuth);
diff --git a/main.bicep b/main.bicep
index c73786d..62c069a 100644
--- a/main.bicep
+++ b/main.bicep
@@ -7,6 +7,7 @@ type dataCollectionConfig = {
 type functionAppConfig = {
   name: string
   keyvaultName: string
+  keyvaultSecretName: string
   container: string
 }
 
@@ -35,6 +36,7 @@ module functionappModule './modules/functionapp.bicep' = {
     appName: '${functionConfig.name}-${uniqueString(resourceGroup().name)}'
     location: resourceGroup().location
     keyvaultName: functionConfig.keyvaultName
+    keyvaultSecretName: functionConfig.keyvaultSecretName
     userAssignedIdentityId: userAssignedIdentity.id
     clientId: userAssignedIdentity.properties.clientId
     container: functionConfig.container
@@ -53,7 +55,8 @@ module vaultSecretUserRoleAssignment './modules/vault-role-assignment.bicep' = {
     roleAssignmentName: '${uniqueString(functionConfig.name)}-keyvault-reader-role-assignment'
     roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secret User
     principalId: userAssignedIdentity.properties.principalId
-    keyVaultName: functionConfig.keyvaultName
+    keyVaultName: functionConfig.keyvaultName    
+    secretName: functionConfig.keyvaultSecret
   }
 }
 
diff --git a/main.bicepparam b/main.bicepparam
index 91bbf2e..6b0972a 100644
--- a/main.bicepparam
+++ b/main.bicepparam
@@ -9,5 +9,6 @@ param datacollection  = {
 param functionConfig = {
   name: 'func-btconnect'
   keyvaultName: 'btvault'
+  keyvaultSecretName: 'BeyondTrustAPI'
   container: 'frodehus/beyondtrustconnector:v1.2'
 }
diff --git a/modules/functionapp.bicep b/modules/functionapp.bicep
index 6a32196..079e45c 100644
--- a/modules/functionapp.bicep
+++ b/modules/functionapp.bicep
@@ -26,6 +26,7 @@ var applicationInsightsName = appName
 param storageAccountName string = '${uniqueString(resourceGroup().id)}azfunctions'
 param container string = 'frodehus/beyondtrustconnector:v1.2'
 param keyvaultName string
+param keyvaultSecretName string
 param userAssignedIdentityId string
 param clientId string
 
@@ -104,6 +105,10 @@ resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
             name: 'KEYVAULT_NAME'
             value:keyvaultName
         }
+        {
+            name: 'KEYVAULT_SECRET'
+            value: keyvaultSecretName
+        }
         {
             name: 'PRINCIPAL_ID' 
             value: clientId
diff --git a/modules/vault-role-assignment.bicep b/modules/vault-role-assignment.bicep
index 3497160..430371d 100644
--- a/modules/vault-role-assignment.bicep
+++ b/modules/vault-role-assignment.bicep
@@ -5,21 +5,28 @@ param roleDefinitionId string
 param principalId string
 
 param keyVaultName string
+param secretName string
 
 resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = {
   name: keyVaultName
 }
 
+resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' existing = {
+    parent: keyVault
+    name: secretName
+}
+
+
 resource vaultRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = {
   name: roleDefinitionId
 }
 
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
   name: guid(roleAssignmentName)
-  scope: keyVault
+  scope: keyVaultSecret
   properties: {
     roleDefinitionId: vaultRoleDefinition.id
     principalId: principalId
-    principalType: 'ServicePrincipal'
+    principalType: 'ServicePrincipal'    
   }
 }