diff --git a/README.md b/README.md
index 1c18702bb9f930ca527e00b536f36c3b467c20dd..ca215d94f080a0c97461253c884df4e90d767411 100644
--- a/README.md
+++ b/README.md
@@ -518,6 +518,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 
 | Name              | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
+| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
 | `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
diff --git a/kicker.json b/kicker.json
index c9a7106a281661265eadec4eab90c43628c97b0e..e6a8edaed32fef909cc8035ff4e2c5e28a60244c 100644
--- a/kicker.json
+++ b/kicker.json
@@ -206,6 +206,12 @@
       "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
       "template_path": "templates/gitlab-ci-docker-vault.yml",
       "variables": [
+        {
+          "name": "TBC_VAULT_IMAGE",
+          "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
+          "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",
+          "advanced": true
+        },
         {
           "name": "VAULT_BASE_URL",
           "description": "The Vault server base API url",
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
index 7d4f94d39072aaa1aad9574c18561fcbd727852b..753ad78fa882b763b77e662412ac8deea3b1491e 100644
--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -2,6 +2,8 @@
 # === Vault template variant
 # =====================================================================================================================
 variables:
+  # variabilized vault-secrets-provider image
+  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
   # variables have to be explicitly declared in the YAML to be exported to the service
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"
   VAULT_SECRET_ID: "$VAULT_SECRET_ID"
@@ -10,5 +12,5 @@ variables:
   services:
     - name: "$TBC_TRACKING_IMAGE"
       command: ["--service", "docker", "3.4.0"]
-    - name: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
+    - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"