diff --git a/cluster-service/Makefile b/cluster-service/Makefile
index 885d756f2..5d7c35e64 100644
--- a/cluster-service/Makefile
+++ b/cluster-service/Makefile
@@ -20,9 +20,13 @@ deploy:
 			-n clusters-service \
 			--query clientId) && \
 	CS_SERVICE_PRINCIPAL_CREDS_BASE64='$(shell az keyvault secret show --vault-name "service-kv-aro-hcp-dev" --name "aro-hcp-dev-sp-cs" | jq .value -r | base64 | tr -d '\n')' && \
+	TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
+	KEYVAULT_NAME=$(shell az keyvault list --query "[?starts_with(name, 'service-kv')].name" -g ${REGIONAL_RESOURCEGROUP} --output tsv) && \
 	oc process --local -f deploy/openshift-templates/arohcp-service-template.yml \
 	  -p AZURE_CS_MI_CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} \
+	  -p TENANT_ID=$${TENANT_ID} \
 	  -p REGION=${REGION} \
+	  -p KEYVAULT_NAME=${KEYVAULT_NAME}
 	  -p CS_SERVICE_PRINCIPAL_CREDS_BASE64=$${CS_SERVICE_PRINCIPAL_CREDS_BASE64} \
 	  -p IMAGE_REGISTRY=${ARO_HCP_IMAGE_ACR}.azurecr.io \
 	  -p IMAGE_REPOSITORY=app-sre/uhc-clusters-service \
diff --git a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
index 6b18eb541..95d599763 100644
--- a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
+++ b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
@@ -222,8 +222,35 @@ parameters:
 - name: CS_SERVICE_PRINCIPAL_CREDS_BASE64
   description: Base64 encoded service principal credentials for CS. This is temporary for P1
   required: true
+- name: KEYVAULT_NAME
+  description: The name of the Key Vault where the first party credentials are stored.
+  value: "service-kv-aro-hcp-dev"
+- name: TENANT_ID
+  description: The Tenant ID of Key Vault.
+  value: ""
+
 objects:
 
+- apiVersion: secrets-store.csi.x-k8s.io/v1
+  kind: SecretProviderClass
+  metadata:
+    name: cs-keyvault
+    namespace: ${NAMESPACE}
+  spec:
+    parameters:
+      clientID: ${AZURE_CS_MI_CLIENT_ID}
+      cloudName: AzurePublicCloud
+      keyvaultName: ${KEYVAULT_NAME}
+      objects: |-
+        array:
+          - |
+            objectName: firstPartyMock
+            objectType: secret
+            objectAlias: "firstPartyMock"
+      tenantId: ${TENANT_ID}
+      usePodIdentity: "false"
+    provider: azure
+
 - apiVersion: v1
   kind: ConfigMap
   metadata:
@@ -409,6 +436,12 @@ objects:
         - name: azure-credentials
           secret:
             secretName: azure-credentials
+        - name: keyvault
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: cs-keyvault
         initContainers:
         - name: init
           image: ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}:${IMAGE_TAG}
@@ -465,6 +498,9 @@ objects:
             subPath: cloud-region-constraints.yaml
           - name: azure-credentials
             mountPath: /secrets/azure-credentials
+          - name: keyvault
+            mountPath: "/secrets/keyvault"
+            readOnly: true
           env:
           - name: NAMESPACE
             valueFrom: