diff --git a/services/maintenance/metis-deployment.yaml b/services/maintenance/metis-deployment.yaml
index 3bf11907..50b5128a 100644
--- a/services/maintenance/metis-deployment.yaml
+++ b/services/maintenance/metis-deployment.yaml
@@ -18,7 +18,17 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
-        metis.bstein.dev/config-rev: "2026-04-05-01"
+        metis.bstein.dev/config-rev: "2026-04-05-02"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/role: "maintenance"
+        vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
+        vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
+          {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
+          export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
+          export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
+          export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
+          {{ end }}
     spec:
       serviceAccountName: metis
       terminationGracePeriodSeconds: 30
@@ -30,6 +40,12 @@ spec:
         - name: metis
           image: registry.bstein.dev/bstein/metis:0.1.0-21-amd64
           imagePullPolicy: Always
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -e
+              . /vault/secrets/metis-ssh-env.sh
+              exec metis serve
           envFrom:
             - configMapRef:
                 name: metis
@@ -42,24 +58,6 @@ spec:
                   name: metis-runtime
                   key: k3s_token
                   optional: true
-            - name: METIS_SSH_KEY_BRAD
-              valueFrom:
-                secretKeyRef:
-                  name: metis-ssh-keys
-                  key: brad_pub
-                  optional: true
-            - name: METIS_SSH_KEY_BASTION
-              valueFrom:
-                secretKeyRef:
-                  name: metis-ssh-keys
-                  key: bastion_pub
-                  optional: true
-            - name: METIS_SSH_KEY_HECATE_TETHYS
-              valueFrom:
-                secretKeyRef:
-                  name: metis-ssh-keys
-                  key: hecate_tethys_pub
-                  optional: true
           ports:
             - name: http
               containerPort: 8080
diff --git a/services/maintenance/secretproviderclass.yaml b/services/maintenance/secretproviderclass.yaml
index ad99ff30..fae83c78 100644
--- a/services/maintenance/secretproviderclass.yaml
+++ b/services/maintenance/secretproviderclass.yaml
@@ -16,15 +16,6 @@ spec:
       - objectName: "harbor-core__harbor_admin_password"
         secretPath: "kv/data/atlas/harbor/harbor-core"
         secretKey: "harbor_admin_password"
-      - objectName: "metis-ssh-keys__bastion_pub"
-        secretPath: "kv/data/atlas/maintenance/metis-ssh-keys"
-        secretKey: "bastion_pub"
-      - objectName: "metis-ssh-keys__brad_pub"
-        secretPath: "kv/data/atlas/maintenance/metis-ssh-keys"
-        secretKey: "brad_pub"
-      - objectName: "metis-ssh-keys__hecate_tethys_pub"
-        secretPath: "kv/data/atlas/maintenance/metis-ssh-keys"
-        secretKey: "hecate_tethys_pub"
   secretObjects:
     - secretName: harbor-regcred
       type: kubernetes.io/dockerconfigjson
@@ -36,12 +27,3 @@ spec:
       data:
         - objectName: harbor-core__harbor_admin_password
           key: METIS_HARBOR_PASSWORD
-    - secretName: metis-ssh-keys
-      type: Opaque
-      data:
-        - objectName: metis-ssh-keys__bastion_pub
-          key: bastion_pub
-        - objectName: metis-ssh-keys__brad_pub
-          key: brad_pub
-        - objectName: metis-ssh-keys__hecate_tethys_pub
-          key: hecate_tethys_pub
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index 82d90057..3d198d00 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -230,7 +230,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
   "crypto/* shared/harbor-pull" ""
 write_policy_and_role "health" "health" "health-vault-sync" \
   "health/*" ""
-write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync" \
+write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \
   "maintenance/ariadne-db maintenance/metis-oidc maintenance/metis-ssh-keys portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" ""
 write_policy_and_role "finance" "finance" "finance-vault" \
   "finance/* shared/postmark-relay" ""