diff --git a/services/finance/finance-secrets-ensure-job.yaml b/services/finance/finance-secrets-ensure-job.yaml
index 1402d14..396e16d 100644
--- a/services/finance/finance-secrets-ensure-job.yaml
+++ b/services/finance/finance-secrets-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: finance-secrets-ensure-1
+  name: finance-secrets-ensure-2
   namespace: finance
 spec:
   backoffLimit: 1
@@ -32,7 +32,12 @@ spec:
       containers:
         - name: ensure
           image: alpine:3.20
-          command: ["/scripts/finance_secrets_ensure.sh"]
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -e
+              apk add --no-cache bash curl jq >/dev/null
+              exec bash /scripts/finance_secrets_ensure.sh
           env:
             - name: VAULT_ROLE
               value: finance-secrets
diff --git a/services/finance/scripts/finance_secrets_ensure.sh b/services/finance/scripts/finance_secrets_ensure.sh
index a0dca4a..33a2d73 100755
--- a/services/finance/scripts/finance_secrets_ensure.sh
+++ b/services/finance/scripts/finance_secrets_ensure.sh
@@ -1,8 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-apk add --no-cache curl jq >/dev/null
-
 vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
 vault_role="${VAULT_ROLE:-finance-secrets}"
 jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"