diff --git a/minio/manifests/secret.yaml b/minio/manifests/secret.yaml
index c042aed..df0ebd2 100644
--- a/minio/manifests/secret.yaml
+++ b/minio/manifests/secret.yaml
@@ -28,3 +28,37 @@ spec:
       remoteRef:
         key: minio
         property: ROOT_PASSWORD
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterExternalSecret
+metadata:
+  name: minio-s3-credentials
+spec:
+  namespaceSelector:
+    matchLabels:
+      minio-s3: enabled
+  refreshInterval: 1h
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: vault-backend
+    target:
+      name: minio-s3-credentials
+      creationPolicy: Owner
+    data:
+      - secretKey: AWS_ACCESS_KEY_ID
+        remoteRef:
+          key: minio-s3-credentials
+          property: AWS_ACCESS_KEY_ID
+      - secretKey: AWS_SECRET_ACCESS_KEY
+        remoteRef:
+          key: minio-s3-credentials
+          property: AWS_SECRET_ACCESS_KEY
+      - secretKey: AWS_REGION
+        remoteRef:
+          key: minio-s3-credentials
+          property: AWS_REGION
+      - secretKey: AWS_S3_ENDPOINT
+        remoteRef:
+          key: minio-s3-credentials
+          property: AWS_S3_ENDPOINT
diff --git a/zot/argocd.yaml b/zot/argocd.yaml
index 9bb2129..99cbecc 100644
--- a/zot/argocd.yaml
+++ b/zot/argocd.yaml
@@ -41,4 +41,5 @@ spec:
     managedNamespaceMetadata:
       labels:
         goldilocks.fairwinds.com/enabled: 'true'
+        minio-s3: enabled
   revisionHistoryLimit: 10