diff --git a/internal/pkg/policy/secret.go b/internal/pkg/policy/secret.go
index fccd31ff0..5c98d346e 100644
--- a/internal/pkg/policy/secret.go
+++ b/internal/pkg/policy/secret.go
@@ -15,7 +15,7 @@ import (
 )
 
 var (
-	secretRegex = regexp.MustCompile(`\$co\.elastic\.secret{(.*)}`)
+	secretRegex = regexp.MustCompile(`\$co\.elastic\.secret{([^}]*)}`)
 )
 
 // read secret values that belong to the agent policy's secret references, returns secrets as id:value map
@@ -177,13 +177,17 @@ func ProcessOutputSecret(ctx context.Context, output smap.Map, bulker bulk.Bulk)
 }
 
 // replaceStringRef replaces values matching a secret ref regex, e.g. $co.elastic.secret{<secret ref>} -> <secret value>
+// and does this for multiple matches
 func replaceStringRef(ref string, secretValues map[string]string) string {
 	matches := secretRegex.FindStringSubmatch(ref)
-	if len(matches) > 1 {
+	for len(matches) > 1 {
 		secretRef := matches[1]
 		if val, ok := secretValues[secretRef]; ok {
-			return strings.Replace(ref, matches[0], val, 1)
+			ref = strings.Replace(ref, matches[0], val, 1)
+			matches = secretRegex.FindStringSubmatch(ref)
+			continue
 		}
+		break
 	}
 	return ref
 }
diff --git a/internal/pkg/policy/secret_test.go b/internal/pkg/policy/secret_test.go
index 9222795d2..8ae433ff3 100644
--- a/internal/pkg/policy/secret_test.go
+++ b/internal/pkg/policy/secret_test.go
@@ -42,6 +42,23 @@ func TestReplaceStringRefPartial2(t *testing.T) {
 	assert.Equal(t, "http://localhost/services", val)
 }
 
+func TestReplaceStringRefMultiple(t *testing.T) {
+	secretRefs := map[string]string{
+		"secret1": "value1",
+		"secret2": "value2",
+	}
+	val := replaceStringRef("partial \"$co.elastic.secret{secret1}\" \"$co.elastic.secret{secret2}\"", secretRefs)
+	assert.Equal(t, "partial \"value1\" \"value2\"", val)
+}
+
+func TestReplaceStringRefMultipleOneNotFound(t *testing.T) {
+	secretRefs := map[string]string{
+		"secret2": "value2",
+	}
+	val := replaceStringRef("partial \"$co.elastic.secret{secret1}\" \"$co.elastic.secret{secret2}\"", secretRefs)
+	assert.Equal(t, "partial \"$co.elastic.secret{secret1}\" \"$co.elastic.secret{secret2}\"", val)
+}
+
 func TestReplaceStringRefNotASecret(t *testing.T) {
 	secretRefs := map[string]string{
 		"abcd": "value1",