diff --git a/crates/cuddle-clusters/src/catalog/vault_secret.rs b/crates/cuddle-clusters/src/catalog/vault_secret.rs
index 7a0d482..cd3301b 100644
--- a/crates/cuddle-clusters/src/catalog/vault_secret.rs
+++ b/crates/cuddle-clusters/src/catalog/vault_secret.rs
@@ -74,11 +74,31 @@ impl Component for VaultSecret {
     fn render(
         &self,
         _environment: &str,
-        _value: &serde_yaml::Value,
+        value: &serde_yaml::Value,
     ) -> Option<anyhow::Result<(String, String)>> {
-        Some(Ok((
-            format!("{}.yaml", self.name().replace("/", "_")),
-            r#"apiVersion: secrets.hashicorp.com/v1beta1
+        value
+            .as_mapping()
+            .and_then(|map| map.get("env"))
+            .and_then(|v| v.as_mapping())
+            .map(|v| {
+                v.iter()
+                    .filter_map(|(k, v)| {
+                        if v.as_mapping()
+                            .map(|m| m.get("vault").filter(|v| v.as_bool() == Some(true)))
+                            .is_some()
+                        {
+                            Some(k)
+                        } else {
+                            None
+                        }
+                    })
+                    .filter_map(|k| k.as_str())
+                    .collect::<Vec<_>>()
+            })
+            .map(|_| {
+                Ok((
+                    format!("{}.yaml", self.name().replace("/", "_")),
+                    r#"apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
   name: {{ vars.vault_secret.file_name(vars.cuddle_vars.service) }}
@@ -92,8 +112,9 @@ spec:
   refreshAfter: 30s
   type: kv-v2
 "#
-            .into(),
-        )))
+                    .into(),
+                ))
+            })
     }
 }