diff --git a/tf/production/.terraform.lock.hcl b/tf/production/.terraform.lock.hcl
index 4db8117..46205b9 100644
--- a/tf/production/.terraform.lock.hcl
+++ b/tf/production/.terraform.lock.hcl
@@ -42,6 +42,23 @@ provider "registry.opentofu.org/hashicorp/aws" {
   ]
 }
 
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.3"
+  hashes = [
+    "h1:bDJy8Mj5PMTEuxm6Wu9A9dATBL+mQDmHx8NnLzjvCcc=",
+    "zh:1ec36864a1872abdfd1c53ba3c6837407564ac0d86ab80bf4fdc87b41106fe68",
+    "zh:2117e0edbdc88f0d22fe02fe6b2cfbbbc5d5ce40f8f58e484d8d77d64dd7340f",
+    "zh:4bcfdacd8e2508c16e131de9072cecd359e0ade3b8c6798a049883f37a5872ea",
+    "zh:4da71bc601a37bf8b7413c142d43f5f28e97e531d4836ee8624f41b9fb62e250",
+    "zh:55b9eebac79a46f88db5615f1ee0ac4c3f9351caa4eb8542171ef5d87de60338",
+    "zh:74d64afaef190321f8ddf1c4a9c6489d6cf51098704a2456c1553406e8306328",
+    "zh:8a357e51a0ec69872fafc64da3c6a1039277d325255ef5a264b727d83995d18b",
+    "zh:aacd2e6c13fe19115d51cd28a40a28da017bb48c2e18dec4460d1c37506b1495",
+    "zh:e19c8bdf0e059341d008a50f9138c44009e9ebb3a8047a300e6bc63ed8af8ea0",
+    "zh:fafa9639d8b8402e35f3864c6cfb0762ec57cc365a8f383e2acf81105b1b9eea",
+  ]
+}
+
 provider "registry.opentofu.org/hashicorp/kubernetes" {
   version = "2.30.0"
   hashes = [
diff --git a/tf/production/pass_storage.sh b/tf/production/pass_storage.sh
new file mode 100644
index 0000000..bad78a9
--- /dev/null
+++ b/tf/production/pass_storage.sh
@@ -0,0 +1,7 @@
+jq -n \
+--arg hetzner_token $(pass api/personal/terraform/hetzner/production) \
+--arg cloudflare_token $(pass api/personal/terraform/cloudflare/dd84ai) \
+'{
+    "hetzner_token": $hetzner_token,
+    "cloudflare_token": $cloudflare_token
+}'
diff --git a/tf/production/providers.tf b/tf/production/providers.tf
index 936d2ea..bd22dac 100644
--- a/tf/production/providers.tf
+++ b/tf/production/providers.tf
@@ -19,19 +19,16 @@ terraform {
   }
 }
 
-data "aws_ssm_parameter" "hetzner" {
-  name = "/terraform/hetzner/production"
-}
-provider "hcloud" {
-  token = data.aws_ssm_parameter.hetzner.value
+data "external" "pass_storage" {
+  program = ["bash", "${path.module}/pass_storage.sh"]
 }
 
-data "aws_ssm_parameter" "cloudflare_key" {
-  name = "/terraform/cloudflare/dd84ai"
+provider "hcloud" {
+  token = data.external.pass_storage.result["hetzner_token"]
 }
 
 provider "cloudflare" {
-  api_token = data.aws_ssm_parameter.cloudflare_key.value
+  api_token = data.external.pass_storage.result["cloudflare_token"]
 }
 
 provider "kubernetes" {
diff --git a/tf/staging/.terraform.lock.hcl b/tf/staging/.terraform.lock.hcl
index edd9a60..92a56be 100644
--- a/tf/staging/.terraform.lock.hcl
+++ b/tf/staging/.terraform.lock.hcl
@@ -42,6 +42,23 @@ provider "registry.opentofu.org/hashicorp/aws" {
   ]
 }
 
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.3"
+  hashes = [
+    "h1:bDJy8Mj5PMTEuxm6Wu9A9dATBL+mQDmHx8NnLzjvCcc=",
+    "zh:1ec36864a1872abdfd1c53ba3c6837407564ac0d86ab80bf4fdc87b41106fe68",
+    "zh:2117e0edbdc88f0d22fe02fe6b2cfbbbc5d5ce40f8f58e484d8d77d64dd7340f",
+    "zh:4bcfdacd8e2508c16e131de9072cecd359e0ade3b8c6798a049883f37a5872ea",
+    "zh:4da71bc601a37bf8b7413c142d43f5f28e97e531d4836ee8624f41b9fb62e250",
+    "zh:55b9eebac79a46f88db5615f1ee0ac4c3f9351caa4eb8542171ef5d87de60338",
+    "zh:74d64afaef190321f8ddf1c4a9c6489d6cf51098704a2456c1553406e8306328",
+    "zh:8a357e51a0ec69872fafc64da3c6a1039277d325255ef5a264b727d83995d18b",
+    "zh:aacd2e6c13fe19115d51cd28a40a28da017bb48c2e18dec4460d1c37506b1495",
+    "zh:e19c8bdf0e059341d008a50f9138c44009e9ebb3a8047a300e6bc63ed8af8ea0",
+    "zh:fafa9639d8b8402e35f3864c6cfb0762ec57cc365a8f383e2acf81105b1b9eea",
+  ]
+}
+
 provider "registry.opentofu.org/hashicorp/kubernetes" {
   version = "2.30.0"
   hashes = [
diff --git a/tf/staging/pass_storage.sh b/tf/staging/pass_storage.sh
new file mode 100644
index 0000000..bad78a9
--- /dev/null
+++ b/tf/staging/pass_storage.sh
@@ -0,0 +1,7 @@
+jq -n \
+--arg hetzner_token $(pass api/personal/terraform/hetzner/production) \
+--arg cloudflare_token $(pass api/personal/terraform/cloudflare/dd84ai) \
+'{
+    "hetzner_token": $hetzner_token,
+    "cloudflare_token": $cloudflare_token
+}'
diff --git a/tf/staging/providers.tf b/tf/staging/providers.tf
index 32943b3..aa3842c 100644
--- a/tf/staging/providers.tf
+++ b/tf/staging/providers.tf
@@ -22,19 +22,16 @@ terraform {
   }
 }
 
-data "aws_ssm_parameter" "hetzner" {
-  name = "/terraform/hetzner/production"
-}
-provider "hcloud" {
-  token = data.aws_ssm_parameter.hetzner.value
+data "external" "pass_storage" {
+  program = ["bash", "${path.module}/pass_storage.sh"]
 }
 
-data "aws_ssm_parameter" "cloudflare_key" {
-  name = "/terraform/cloudflare/dd84ai"
+provider "hcloud" {
+  token = data.external.pass_storage.result["hetzner_token"]
 }
 
 provider "cloudflare" {
-  api_token = data.aws_ssm_parameter.cloudflare_key.value
+  api_token = data.external.pass_storage.result["cloudflare_token"]
 }
 
 provider "kubernetes" {