diff --git a/main.tf b/main.tf
index e66b45a..1b11d7c 100644
--- a/main.tf
+++ b/main.tf
@@ -17,6 +17,12 @@ provider "azurerm" {
   subscription_id = var.subscription_id
 }
 
+data "azurerm_client_config" "current" {}
+
+locals {
+  kv_secret_name = "azure-client-secret"
+}
+
 resource "azurerm_resource_group" "rg" {
   name     = "rg-${var.project_name}"
   location = "Poland Central"
@@ -30,18 +36,31 @@ resource "azurerm_log_analytics_workspace" "logaws" {
   retention_in_days   = 30
 }
 
+resource "azurerm_key_vault" "kv" {
+  name                = "${var.project_name}-kv"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku_name            = "standard"
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+}
+
+resource "azurerm_role_assignment" "app_assignment" {
+  scope                = azurerm_key_vault.kv.id
+  principal_id         = azurerm_user_assigned_identity.uai.principal_id
+  role_definition_name = "Key Vault Secrets User"
+}
+
+resource "azurerm_key_vault_secret" "azure_client_secret" {
+  key_vault_id = azurerm_key_vault.kv.id
+  name         = local.kv_secret_name
+  value        = var.azure_client_secret
+}
+
 resource "azurerm_container_app_environment" "env" {
   name                       = "${var.project_name}-env"
   resource_group_name        = azurerm_resource_group.rg.name
   location                   = azurerm_resource_group.rg.location
   log_analytics_workspace_id = azurerm_log_analytics_workspace.logaws.id
-
-  workload_profile {
-    maximum_count         = 1
-    minimum_count         = 1
-    name                  = "Consumption"
-    workload_profile_type = "Consumption"
-  }
 }
 
 resource "azurerm_container_app" "app" {
@@ -50,6 +69,12 @@ resource "azurerm_container_app" "app" {
   resource_group_name          = azurerm_resource_group.rg.name
   revision_mode                = "Single"
 
+  secret {
+    name                = local.kv_secret_name
+    key_vault_secret_id = azurerm_key_vault_secret.azure_client_secret.id
+    identity            = azurerm_user_assigned_identity.uai.id
+  }
+
   template {
     container {
       name   = "azure-image-chooser"
@@ -68,8 +93,8 @@ resource "azurerm_container_app" "app" {
       }
 
       env {
-        name  = "AZURE_CLIENT_SECRET"
-        value = var.azure_client_secret
+        name        = "AZURE_CLIENT_SECRET"
+        secret_name = "azure_client_secret"
       }
 
       env {