diff --git a/kubernetes/apps/security/vault/app/externalsecret.yaml b/kubernetes/apps/security/vault/app/externalsecret.yaml
new file mode 100644
index 00000000..83076288
--- /dev/null
+++ b/kubernetes/apps/security/vault/app/externalsecret.yaml
@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault
+  namespace: security
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: vault-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        key: vault
+        property: AWS_SECRET_ACCESS_KEY
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        key: vault
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: VAULT_AWSKMS_SEAL_KEY_ID
+      remoteRef:
+        key: vault
+        property: VAULT_AWSKMS_SEAL_KEY_ID
diff --git a/kubernetes/apps/security/vault/app/helmrelease.yaml b/kubernetes/apps/security/vault/app/helmrelease.yaml
index a2539850..0358555b 100644
--- a/kubernetes/apps/security/vault/app/helmrelease.yaml
+++ b/kubernetes/apps/security/vault/app/helmrelease.yaml
@@ -53,6 +53,16 @@ spec:
         VAULT_ADDR: "http://127.0.0.1:8200"
         VAULT_API_ADDR: "http://$(POD_IP):8200"
         VAULT_CLUSTER_ADDR: "http://$(POD_IP):8201"
+      extraSecretEnvironmentVars:
+        - envName: AWS_SECRET_ACCESS_KEY
+          secretName: vault-secret
+          secretKey: AWS_SECRET_ACCESS_KEY
+        - envName: AWS_ACCESS_KEY_ID
+          secretName: vault-secret
+          secretKey: AWS_ACCESS_KEY_ID
+        - envName: VAULT_AWSKMS_SEAL_KEY_ID
+          secretName: vault-secret
+          secretKey: VAULT_AWSKMS_SEAL_KEY_ID
       # These are defaults but explicitly set here for clarity.
       dataStorage:
         size: 4Gi
@@ -71,7 +81,7 @@ spec:
         enabled: true
         # maxUnavailable will default to (n/2)-1 where n is the number of replicas
         # so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
-        replicas: 6
+        replicas: 3
         # clusterAddr: "https://vault-active.security.svc.cluster.local:8201"
         config: ""
         raft:
@@ -97,10 +107,8 @@ spec:
                 }
             }
 
-            seal "kubernetes" {
-              secret_name = "vault-unseal-keys"
-              secret_namespace = "security"
-              key_names = ["key1", "key2", "key3"]
+            seal "awskms" {
+              region = "us-east-2"
             }
 
             service_registration "kubernetes" {}
diff --git a/kubernetes/apps/security/vault/app/kustomization.yaml b/kubernetes/apps/security/vault/app/kustomization.yaml
index 5a7bd4d8..ebf6823a 100644
--- a/kubernetes/apps/security/vault/app/kustomization.yaml
+++ b/kubernetes/apps/security/vault/app/kustomization.yaml
@@ -4,4 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: security
 resources:
+  - ./externalsecret.yaml
   - ./helmrelease.yaml