diff --git a/base/storage/kustomization.yaml b/base/storage/kustomization.yaml
index 32ba298..fa97b3c 100644
--- a/base/storage/kustomization.yaml
+++ b/base/storage/kustomization.yaml
@@ -9,3 +9,4 @@ resources:
   - seaweedfs-master.yaml
   - seaweedfs-volume.yaml
   - seaweedfs-filer.yaml
+  - vault-secrets.yaml
diff --git a/base/storage/seaweedfs-config.yaml b/base/storage/seaweedfs-config.yaml
index f922e80..b5e8883 100644
--- a/base/storage/seaweedfs-config.yaml
+++ b/base/storage/seaweedfs-config.yaml
@@ -16,22 +16,6 @@ data:
     enabled        = true
     port           = 8333
 
-  s3.json: |
-    {
-      "identities": [
-        {
-          "name": "minioadmin",
-          "credentials": [
-            {
-              "accessKey": "minioadmin",
-              "secretKey": "minioadmin"
-            }
-          ],
-          "actions": ["Admin", "Read", "Write", "List", "Tagging"]
-        }
-      ]
-    }
-
   master.toml: |
     [master.maintenance]
     sleep_minutes          = 17
diff --git a/base/storage/seaweedfs-filer.yaml b/base/storage/seaweedfs-filer.yaml
index 812a095..51f515e 100644
--- a/base/storage/seaweedfs-filer.yaml
+++ b/base/storage/seaweedfs-filer.yaml
@@ -38,7 +38,12 @@ spec:
                 name: seaweedfs-s3-credentials
           volumeMounts:
             - name: config
-              mountPath: /etc/seaweedfs
+              mountPath: /etc/seaweedfs/filer.toml
+              subPath: filer.toml
+              readOnly: true
+            - name: s3-json-secret
+              mountPath: /etc/seaweedfs/s3.json
+              subPath: s3.json
               readOnly: true
             - name: filer-data
               mountPath: /data/filer
@@ -52,6 +57,9 @@ spec:
         - name: config
           configMap:
             name: seaweedfs-filer-config
+        - name: s3-json-secret
+          secret:
+            secretName: seaweedfs-s3-json
         - name: filer-data
           emptyDir: {}
 ---
diff --git a/base/storage/vault-secrets.yaml b/base/storage/vault-secrets.yaml
new file mode 100644
index 0000000..dfb3858
--- /dev/null
+++ b/base/storage/vault-secrets.yaml
@@ -0,0 +1,56 @@
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vso-auth
+  namespace: storage
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso
+    serviceAccount: default
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: seaweedfs-s3-credentials
+  namespace: storage
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: seaweedfs
+  refreshAfter: 30s
+  destination:
+    name: seaweedfs-s3-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        S3_ACCESS_KEY:
+          text: "{{ index .Secrets \"access-key\" }}"
+        S3_SECRET_KEY:
+          text: "{{ index .Secrets \"secret-key\" }}"
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: seaweedfs-s3-json
+  namespace: storage
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: seaweedfs
+  refreshAfter: 30s
+  destination:
+    name: seaweedfs-s3-json
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        "s3.json":
+          text: '{"identities":[{"name":"seaweed","credentials":[{"accessKey":"{{ index .Secrets "access-key" }}","secretKey":"{{ index .Secrets "secret-key" }}"}],"actions":["Admin","Read","Write","List","Tagging"]}]}'