diff --git a/.github/workflows/deploy-infra.yaml b/.github/workflows/deploy-infra.yaml
index 6da4d6b..fd067d2 100644
--- a/.github/workflows/deploy-infra.yaml
+++ b/.github/workflows/deploy-infra.yaml
@@ -53,6 +53,9 @@ jobs:
           echo "TF_VAR_google_client_id=${{ secrets.GOOGLE_CLIENT_ID }}" >> $GITHUB_ENV
           echo "TF_VAR_google_client_secret=${{ secrets.GOOGLE_CLIENT_SECRET }}" >> $GITHUB_ENV
 
+
+
+
       - name: Set Up Terraform
         uses: hashicorp/setup-terraform@v2
 
diff --git a/infra/main.tf b/infra/main.tf
index 3587d41..600f57f 100644
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -14,6 +14,12 @@ resource "azurerm_resource_group" "rg" {
 }
 
 #### Create the Azure Key Vault #####
+
+# Retrieve the runner's public IP
+data "http" "ip" {
+  url = "https://api.ipify.org"
+}
+
 module "key_vault" {
   source = "../modules/key_vault"
 
@@ -28,6 +34,15 @@ module "key_vault" {
   depends_on = [azurerm_resource_group.rg]
 
   tags = local.environment_vars.tags
+
+  key_vault_ip_rules = [data.http.ip.response_body]
+}
+
+# Wait for firewall rule propagation
+resource "time_sleep" "wait_for_firewall" {
+  create_duration = "60s"
+
+  depends_on = [module.key_vault]
 }
 
 # Get the current service principal/client object ID
@@ -42,6 +57,20 @@ resource "azurerm_role_assignment" "key_vault_secrets_officer" {
   depends_on = [module.key_vault]
 }
 
+# Look up the user to grant access to
+data "azuread_user" "admin_user" {
+  user_principal_name = "frederic.pitteloud@fpittelo.ch"
+}
+
+# Assign Key Vault Administrator role to the user
+resource "azurerm_role_assignment" "key_vault_admin_user" {
+  scope                = module.key_vault.key_vault_id
+  role_definition_name = "Key Vault Administrator"
+  principal_id         = data.azuread_user.admin_user.object_id
+
+  depends_on = [module.key_vault]
+}
+
 resource "azurerm_key_vault_secret" "openai_key" {
   name         = "openai-api-key"
   value        = module.cognitive_account.openai_key
@@ -50,7 +79,8 @@ resource "azurerm_key_vault_secret" "openai_key" {
   depends_on = [
     module.key_vault,
     module.cognitive_account,
-    azurerm_role_assignment.key_vault_secrets_officer
+    azurerm_role_assignment.key_vault_secrets_officer,
+    time_sleep.wait_for_firewall
   ]
 }
 
diff --git a/infra/providers.tf b/infra/providers.tf
index 0b2d347..fd0637b 100644
--- a/infra/providers.tf
+++ b/infra/providers.tf
@@ -19,6 +19,14 @@ terraform {
       source  = "cyrilgdn/postgresql"
       version = "1.17.0"
     }
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 3.4.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "~> 0.9.0"
+    }
   }
 
   backend "azurerm" {
diff --git a/infra/variables.tf b/infra/variables.tf
index 958bc2f..8eee13d 100644
--- a/infra/variables.tf
+++ b/infra/variables.tf
@@ -186,3 +186,5 @@ variable "google_client_secret" {
 
 
 
+
+