diff --git a/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep b/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep
index c0b7ad3428..0ce69f7cc6 100644
--- a/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep
+++ b/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep
@@ -24,6 +24,9 @@ param resourceTags object = {
   Project: 'Jumpstart_azure_aio'
 }
 
+@description('Azure service principal object id')
+param spnObjectId string
+
 resource akv 'Microsoft.KeyVault/vaults@2023-02-01' = {
   name: akvNameSite1
   location: location
@@ -33,7 +36,15 @@ resource akv 'Microsoft.KeyVault/vaults@2023-02-01' = {
       name: akvSku
       family: 'A'
     }
-    accessPolicies: []
+    accessPolicies: [
+      {
+      tenantId: tenantId
+      objectId: spnObjectId
+      permissions: {
+        secrets: ['get', 'list']
+      }
+    }
+  ]
     enableSoftDelete: false
     tenantId: tenantId
   }
diff --git a/azure_jumpstart_ag/contoso_motors/bicep/main.bicep b/azure_jumpstart_ag/contoso_motors/bicep/main.bicep
index a2932d6149..8392341da1 100644
--- a/azure_jumpstart_ag/contoso_motors/bicep/main.bicep
+++ b/azure_jumpstart_ag/contoso_motors/bicep/main.bicep
@@ -187,6 +187,7 @@ module keyVault 'data/keyVault.bicep' = {
     akvNameSite1: akvNameSite1
     akvNameSite2: akvNameSite2
     location: location
+    spnObjectId: spnObjectId
   }
 }