diff --git a/README.md b/README.md
index 24512e3a2d8f3d6ae2e8667da63139b18c6ee0f0..15ed6687dec77665df74605288657e9124439082 100644
--- a/README.md
+++ b/README.md
@@ -326,6 +326,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 
 | Name              | description                            | default value     |
 | ----------------- | -------------------------------------- | ----------------- |
+| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
 | `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
diff --git a/kicker.json b/kicker.json
index f6f40a251fa225bafa62e2f6fa0124079cad1110..a15e725c7f01b8e80d2559d6a790bbe829bc034c 100644
--- a/kicker.json
+++ b/kicker.json
@@ -382,6 +382,12 @@
       "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
       "template_path": "templates/gitlab-ci-helm-vault.yml",
       "variables": [
+        {
+          "name": "TBC_VAULT_IMAGE",
+          "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
+          "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",
+          "advanced": true
+        },
         {
           "name": "VAULT_BASE_URL",
           "description": "The Vault server base API url"
diff --git a/templates/gitlab-ci-helm-vault.yml b/templates/gitlab-ci-helm-vault.yml
index 3652a88970a3fec5ce3dc5acbcced1fa688145c0..04f7ec25bf6c79950376fabfdc6353b0c3cf7213 100644
--- a/templates/gitlab-ci-helm-vault.yml
+++ b/templates/gitlab-ci-helm-vault.yml
@@ -2,6 +2,8 @@
 # === Vault template variant
 # =====================================================================================================================
 variables:
+  # variabilized vault-secrets-provider image
+  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
   # variables have to be explicitly declared in the YAML to be exported to the service
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"
   VAULT_SECRET_ID: "$VAULT_SECRET_ID"
@@ -10,5 +12,5 @@ variables:
   services:
     - name: "$TBC_TRACKING_IMAGE"
       command: ["--service", "helm", "3.1.0" ]
-    - name: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
+    - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"