diff --git a/kesconf/testdata/vault/deploy_vault.sh b/kesconf/testdata/vault/deploy_vault.sh
index 53f5ef42..50ef0521 100755
--- a/kesconf/testdata/vault/deploy_vault.sh
+++ b/kesconf/testdata/vault/deploy_vault.sh
@@ -74,7 +74,6 @@ function setup_vault() {
 
 	export VAULT_ADDR='https://127.0.0.1:8200'
 	export VAULT_SKIP_VERIFY=true
-	export KES_API_KEY=kes:v1:AP6gQlUXjWj5iY1WkqeXKIR0OXTpyoiHa81XTY7ISy3l
 	init_output=$(vault operator init)
 	vault_token=$(echo "$init_output" | grep "Initial Root Token:" | awk -F":" '{print $2}' | xargs)
 	unseal_key1=$(echo "$init_output" | grep "Unseal Key 1:" | awk -F":" '{print $2}' | xargs)
@@ -95,8 +94,6 @@ function setup_vault() {
 	role_id=$(echo "$roleid_output" | grep "role_id" | awk -F" " '{print $2}')
 	secretid_output=$(vault write -f auth/approle/role/kes-server/secret-id)
 	secret_id=$(echo "$secretid_output" | grep "secret_id " | awk -F" " '{print $2}')
-	export VAULT_APPROLE_ID="${role_id}"
-	export VAULT_APPROLE_SECRET="${secret_id}"
 	vault_public_cert="${GITHUB_WORKSPACE}"/vault.crt
 	vault_cert="${vault_public_cert}" yq e -i '.keystore.vault.tls.ca = strenv(vault_cert)' "${GITHUB_WORKSPACE}"/kesconf/testdata/vault/kes-config-vault.yml
 
@@ -111,6 +108,8 @@ function setup_vault() {
 export KES_API_KEY=kes:v1:AP6gQlUXjWj5iY1WkqeXKIR0OXTpyoiHa81XTY7ISy3l
 export VAULT_APPROLE_ID=${role_id}
 export VAULT_APPROLE_SECRET=${secret_id}
+export VAULT_ADDR='https://127.0.0.1:8200'
+export VAULT_SKIP_VERIFY=true
 EOF
 	cat env.sh
 }
diff --git a/kesconf/vault_ci_test.go b/kesconf/vault_ci_test.go
index 1bd3527b..c2057311 100644
--- a/kesconf/vault_ci_test.go
+++ b/kesconf/vault_ci_test.go
@@ -6,6 +6,8 @@ package kesconf
 
 import (
 	"flag"
+	"fmt"
+	"os"
 	"testing"
 )
 
@@ -21,6 +23,9 @@ func TestVaultCI(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	fmt.Println("VAULT_APPROLE_ID=", os.Getenv("VAULT_APPROLE_ID"))
+	fmt.Println("VAULT_APPROLE_SECRET=", os.Getenv("VAULT_APPROLE_SECRET"))
+	fmt.Println("Keystore AppRole: ", config.KeyStore.(*VaultKeyStore).AppRole)
 	if _, ok := config.KeyStore.(*VaultKeyStore); !ok {
 		t.Fatalf("Invalid Keystore: want %T - got %T", config.KeyStore, &VaultKeyStore{})
 	}