diff --git a/app/lib/services/vault_service.rb b/app/lib/services/vault_service.rb
index 5566ede..6b52142 100644
--- a/app/lib/services/vault_service.rb
+++ b/app/lib/services/vault_service.rb
@@ -41,8 +41,7 @@ def enable_engine(mount, type)
       end
 
       def kv_mount
-        # TODO should this be dynamic based on identity?
-        "astralkv"
+        Rails.configuration.astral[:vault_kv_mount]
       end
     end
   end
diff --git a/config/astral.yml b/config/astral.yml
index 76592b4..4d97f43 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -2,6 +2,7 @@ shared:
   vault_addr: <%= ENV["VAULT_ADDR"] %>
   vault_token: <%= ENV["VAULT_TOKEN"] %>
   vault_cert_path: "pki_int/issue/learn"
+  vault_kv_mount: <%= ENV["VAULT_KV_MOUNT"] || "astralkv" %>
   jwt_signing_key: <%= ENV["JWT_SIGNING_KEY"] %>
   cert_ttl: <%= ENV["CERT_TTL"] %>
   app_registry_addr: <%= ENV["APP_REGISTRY_ADDR"] %>