diff --git a/internal/controllers/configuration-domain/secrets_handler.go b/internal/controllers/configuration-domain/secrets_handler.go
index b817b7f..8dc3af1 100644
--- a/internal/controllers/configuration-domain/secrets_handler.go
+++ b/internal/controllers/configuration-domain/secrets_handler.go
@@ -231,7 +231,7 @@ func getSecretWithKubernetesAuth(platform, namespace, domain, role string) ([]se
 			if err != nil {
 				return fmt.Errorf("unable to read secret: %w", err)
 			}
-			if secret == nil {
+			if secret == nil || secret.Data["data"] == nil {
 				return nil
 			}
 			secretData, ok := secret.Data["data"].(map[string]interface{})
diff --git a/internal/controllers/provisioning/provisioners/pulumi/exporters.go b/internal/controllers/provisioning/provisioners/pulumi/exporters.go
index 6f05ab0..6df4f13 100644
--- a/internal/controllers/provisioning/provisioners/pulumi/exporters.go
+++ b/internal/controllers/provisioning/provisioners/pulumi/exporters.go
@@ -116,8 +116,9 @@ func exportToVault(ctx *pulumi.Context, secretPath string, templateContext inter
 	}).(pulumi.StringOutput)
 
 	_, err := vault.NewSecret(ctx, secretPath, &vault.SecretArgs{
-		DataJson: dataJson,
-		Path:     pulumi.String(secretPath),
+		DataJson:          dataJson,
+		Path:              pulumi.String(secretPath),
+		DeleteAllVersions: pulumi.Bool(true),
 	}, opts...)
 	return err
 }