diff --git a/terraform/main.tf b/terraform/main.tf
index 1b11d7c..657078f 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -4,6 +4,11 @@ terraform {
       source  = "hashicorp/azurerm"
       version = ">= 4.0.0"
     }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = ">= 3.0.0"
+    }
   }
 
   backend "local" {
@@ -19,6 +24,10 @@ provider "azurerm" {
 
 data "azurerm_client_config" "current" {}
 
+data "azuread_user" "az_lab_admin" {
+  user_principal_name = "az-lab-admin@lab.koszewscy.waw.pl"
+}
+
 locals {
   kv_secret_name = "azure-client-secret"
 }
@@ -37,11 +46,12 @@ resource "azurerm_log_analytics_workspace" "logaws" {
 }
 
 resource "azurerm_key_vault" "kv" {
-  name                = "${var.project_name}-kv"
-  location            = azurerm_resource_group.rg.location
-  resource_group_name = azurerm_resource_group.rg.name
-  sku_name            = "standard"
-  tenant_id           = data.azurerm_client_config.current.tenant_id
+  name                      = "${var.project_name}-kv"
+  location                  = azurerm_resource_group.rg.location
+  resource_group_name       = azurerm_resource_group.rg.name
+  sku_name                  = "standard"
+  tenant_id                 = data.azurerm_client_config.current.tenant_id
+  enable_rbac_authorization = true
 }
 
 resource "azurerm_role_assignment" "app_assignment" {
@@ -50,10 +60,18 @@ resource "azurerm_role_assignment" "app_assignment" {
   role_definition_name = "Key Vault Secrets User"
 }
 
+resource "azurerm_role_assignment" "az_lab_admin_assignment" {
+  scope                = azurerm_key_vault.kv.id
+  principal_id         = data.azuread_user.az_lab_admin.object_id
+  role_definition_name = "Key Vault Secrets Officer"
+}
+
 resource "azurerm_key_vault_secret" "azure_client_secret" {
   key_vault_id = azurerm_key_vault.kv.id
   name         = local.kv_secret_name
   value        = var.azure_client_secret
+
+  depends_on = [azurerm_role_assignment.az_lab_admin_assignment]
 }
 
 resource "azurerm_container_app_environment" "env" {
@@ -94,7 +112,7 @@ resource "azurerm_container_app" "app" {
 
       env {
         name        = "AZURE_CLIENT_SECRET"
-        secret_name = "azure_client_secret"
+        secret_name = local.kv_secret_name
       }
 
       env {
@@ -102,13 +120,8 @@ resource "azurerm_container_app" "app" {
         value = var.subscription_id
       }
     }
-
-    min_replicas = 1
-    max_replicas = 1
   }
 
-  workload_profile_name = "Consumption"
-
   ingress {
     target_port      = 8501
     external_enabled = true
@@ -119,10 +132,21 @@ resource "azurerm_container_app" "app" {
     }
   }
 
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.uai.id]
+  }
+
   registry {
     server   = "skdomlab.azurecr.io"
     identity = azurerm_user_assigned_identity.uai.id
   }
+
+  depends_on = [
+    azurerm_key_vault.kv,
+    azurerm_key_vault_secret.azure_client_secret,
+    azurerm_role_assignment.app_assignment
+  ]
 }
 
 resource "azurerm_user_assigned_identity" "uai" {