diff --git a/services/jenkins/kustomization.yaml b/services/jenkins/kustomization.yaml
index aab859a..df51968 100644
--- a/services/jenkins/kustomization.yaml
+++ b/services/jenkins/kustomization.yaml
@@ -5,11 +5,14 @@ namespace: jenkins
 resources:
   - namespace.yaml
   - serviceaccount.yaml
+  - vault-serviceaccount.yaml
   - pvc.yaml
   - cache-pvc.yaml
   - plugins-pvc.yaml
   - configmap-jcasc.yaml
   - configmap-plugins.yaml
+  - secretproviderclass.yaml
+  - vault-sync-deployment.yaml
   - deployment.yaml
   - service.yaml
   - ingress.yaml
diff --git a/services/jenkins/secretproviderclass.yaml b/services/jenkins/secretproviderclass.yaml
new file mode 100644
index 0000000..a9d9dd5
--- /dev/null
+++ b/services/jenkins/secretproviderclass.yaml
@@ -0,0 +1,21 @@
+# services/jenkins/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: jenkins-vault
+  namespace: jenkins
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "jenkins"
+    objects: |
+      - objectName: "harbor-pull__dockerconfigjson"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
+        secretKey: "dockerconfigjson"
+  secretObjects:
+    - secretName: harbor-bstein-robot
+      type: kubernetes.io/dockerconfigjson
+      data:
+        - objectName: harbor-pull__dockerconfigjson
+          key: .dockerconfigjson
diff --git a/services/jenkins/vault-serviceaccount.yaml b/services/jenkins/vault-serviceaccount.yaml
new file mode 100644
index 0000000..8d31400
--- /dev/null
+++ b/services/jenkins/vault-serviceaccount.yaml
@@ -0,0 +1,6 @@
+# services/jenkins/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jenkins-vault-sync
+  namespace: jenkins
diff --git a/services/jenkins/vault-sync-deployment.yaml b/services/jenkins/vault-sync-deployment.yaml
new file mode 100644
index 0000000..6de64f9
--- /dev/null
+++ b/services/jenkins/vault-sync-deployment.yaml
@@ -0,0 +1,34 @@
+# services/jenkins/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jenkins-vault-sync
+  namespace: jenkins
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jenkins-vault-sync
+  template:
+    metadata:
+      labels:
+        app: jenkins-vault-sync
+    spec:
+      serviceAccountName: jenkins-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: jenkins-vault
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index 00fa567..a956e0e 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -218,7 +218,7 @@ write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
   "nextcloud/* shared/keycloak-admin shared/postmark-relay" ""
 write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
   "comms/* shared/chat-ai-keys-runtime shared/harbor-pull" ""
-write_policy_and_role "jenkins" "jenkins" "jenkins" \
+write_policy_and_role "jenkins" "jenkins" "jenkins,jenkins-vault-sync" \
   "jenkins/* shared/harbor-pull" ""
 write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
   "monitoring/* shared/postmark-relay shared/harbor-pull" ""