diff --git a/README.md b/README.md
index 4399e2f..f7dfa28 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ az ad sp create-for-rbac --name "Github-Actions-SP" \
 ```powershell
 az ad sp create-for-rbac --name "Github-Actions-SP" `
                          --role contributor `
-                         --scopes /subscriptions/c19b5a5a-e3a7-495b-b6e3-14dbafe30ebd `
+                         --scopes /subscriptions/c39b5a5a-e3a7-495b-b6e3-84dbafe30ebd `
                          --sdk-auth
 ```
 
diff --git a/infrastructure/main.bicep b/infrastructure/main.bicep
index ca83ec5..7d7fffc 100644
--- a/infrastructure/main.bicep
+++ b/infrastructure/main.bicep
@@ -2,7 +2,15 @@ param location string = resourceGroup().location
 
 var uniqueId = uniqueString(resourceGroup().id)
 
-module apiService 'modules/compute/appservice.bicep'= {
+module keyVault './modules/secrets/keyvault.bicep' = {
+  name: 'keyVaultDeployment'
+  params: {
+    vaultName: 'kv-${uniqueId}'
+    location: location
+  }
+}
+
+module apiService 'modules/compute/appservice.bicep' = {
   name: 'apiDeployment'
   params: {
     location: location
@@ -10,6 +18,3 @@ module apiService 'modules/compute/appservice.bicep'= {
     appServiceplanName: 'plan-api-${uniqueId}'
   }
 }
-
-
-
diff --git a/infrastructure/modules/secrets/keyvault.bicep b/infrastructure/modules/secrets/keyvault.bicep
new file mode 100644
index 0000000..b575b93
--- /dev/null
+++ b/infrastructure/modules/secrets/keyvault.bicep
@@ -0,0 +1,20 @@
+  param location string = resourceGroup().location
+  param vaultName string
+  
+  resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
+    name: vaultName
+    location: location
+    properties: {
+      sku: {
+        family: 'A'
+        name: 'standard'
+      }
+      enableRbacAuthorization: true
+      tenantId: subscription().tenantId
+   
+    }
+  }
+  
+
+  output id string = keyVault.id
+  output name string = keyVault.name