diff --git a/apps/ollama/kustomization.yaml b/apps/ollama/kustomization.yaml
index 143a5b6..d9b5bea 100644
--- a/apps/ollama/kustomization.yaml
+++ b/apps/ollama/kustomization.yaml
@@ -3,5 +3,6 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - release.yaml
+  - secret.yaml
   - auth-proxy.yaml
   - ingress.yaml
diff --git a/apps/ollama/secret.yaml b/apps/ollama/secret.yaml
new file mode 100644
index 0000000..b9a4313
--- /dev/null
+++ b/apps/ollama/secret.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ollama-proxy
+  namespace: ollama
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ollama-proxy
+    serviceAccount: ollama-proxy
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ollama-api-key
+  namespace: ollama
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ollama
+
+  destination:
+    create: true
+    name: ollama-api-key
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: ollama
diff --git a/vault/kubernetes-roles/ollama-proxy.yaml b/vault/kubernetes-roles/ollama-proxy.yaml
new file mode 100644
index 0000000..4f6b39c
--- /dev/null
+++ b/vault/kubernetes-roles/ollama-proxy.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - ollama-proxy
+bound_service_account_namespaces:
+  - ollama
+token_policies:
+  - ollama
diff --git a/vault/policy/ollama.hcl b/vault/policy/ollama.hcl
new file mode 100644
index 0000000..a6d6994
--- /dev/null
+++ b/vault/policy/ollama.hcl
@@ -0,0 +1,3 @@
+path "secret/data/ollama" {
+    capabilities = ["read"]
+}