diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml
index 7213794..2cf8b4f 100644
--- a/services/communication/kustomization.yaml
+++ b/services/communication/kustomization.yaml
@@ -6,7 +6,6 @@ resources:
   - synapse-rendered.yaml
   - synapse-signingkey-ensure-job.yaml
   - mas-configmap.yaml
-  - mas-admin-client-secret.yaml
   - mas-admin-client-secret-ensure-job.yaml
   - mas-deployment.yaml
   - mas-ingress.yaml
diff --git a/services/communication/mas-admin-client-secret-ensure-job.yaml b/services/communication/mas-admin-client-secret-ensure-job.yaml
index 210e729..ff8d282 100644
--- a/services/communication/mas-admin-client-secret-ensure-job.yaml
+++ b/services/communication/mas-admin-client-secret-ensure-job.yaml
@@ -13,8 +13,11 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
-    resourceNames: ["mas-admin-client"]
+    resourceNames: ["mas-admin-client-runtime"]
     verbs: ["get", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -33,7 +36,7 @@ subjects:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-admin-client-secret-ensure-6
+  name: mas-admin-client-secret-ensure-7
   namespace: comms
 spec:
   backoffLimit: 2
@@ -64,12 +67,18 @@ spec:
           args:
             - |
               set -euo pipefail
-              if kubectl -n comms get secret mas-admin-client -o jsonpath='{.data.client_secret}' 2>/dev/null | grep -q .; then
+              if kubectl -n comms get secret mas-admin-client-runtime >/dev/null 2>&1; then
+                if kubectl -n comms get secret mas-admin-client-runtime -o jsonpath='{.data.client_secret}' 2>/dev/null | grep -q .; then
+                  exit 0
+                fi
+              else
+                kubectl -n comms create secret generic mas-admin-client-runtime \
+                  --from-file=client_secret=/work/client_secret >/dev/null
                 exit 0
               fi
               secret_b64="$(base64 /work/client_secret | tr -d '\n')"
               payload="$(printf '{"data":{"client_secret":"%s"}}' "${secret_b64}")"
-              kubectl -n comms patch secret mas-admin-client --type=merge -p "${payload}" >/dev/null
+              kubectl -n comms patch secret mas-admin-client-runtime --type=merge -p "${payload}" >/dev/null
           volumeMounts:
             - name: work
               mountPath: /work