diff --git a/services/comms/kustomization.yaml b/services/comms/kustomization.yaml
index 24e153c..b08f6db 100644
--- a/services/comms/kustomization.yaml
+++ b/services/comms/kustomization.yaml
@@ -12,7 +12,6 @@ resources:
   - mas-admin-client-secret-ensure-job.yaml
   - mas-secrets-ensure-rbac.yaml
   - mas-db-ensure-rbac.yaml
-  - mas-db-secret.yaml
   - mas-db-ensure-job.yaml
   - mas-deployment.yaml
   - element-rendered.yaml
diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml
index 92252a2..1c8b5c4 100644
--- a/services/comms/mas-db-ensure-job.yaml
+++ b/services/comms/mas-db-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-db-ensure-15
+  name: mas-db-ensure-16
   namespace: comms
 spec:
   backoffLimit: 1
@@ -35,9 +35,7 @@ spec:
                 fi
               else
                 MAS_PASS="$(safe_pass)"
-                MAS_B64="$(printf '%s' "${MAS_PASS}" | base64 | tr -d '\n')"
-                payload="$(printf '{"data":{"password":"%s"}}' "${MAS_B64}")"
-                kubectl -n comms patch secret mas-db --type=merge -p "${payload}" >/dev/null
+                kubectl -n comms create secret generic mas-db --from-literal=password="${MAS_PASS}" >/dev/null
               fi
 
               POD_NAME="$(kubectl -n postgres get pods -l app=postgres -o jsonpath='{.items[0].metadata.name}')"
diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml
index 06522b9..19691d7 100644
--- a/services/comms/mas-db-ensure-rbac.yaml
+++ b/services/comms/mas-db-ensure-rbac.yaml
@@ -14,6 +14,9 @@ rules:
     resources: ["secrets"]
     resourceNames: ["mas-db"]
     verbs: ["get", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list"]