diff --git a/.gitignore b/.gitignore
index 9f38df6..84caf32 100644
--- a/.gitignore
+++ b/.gitignore
@@ -74,5 +74,5 @@ data/.minio.sys
 # Celery
 celerybeat-schedule
 
-# Configuration secrets
-secrets.toml
+# Configuration environment
+.env
diff --git a/invenio.cfg b/invenio.cfg
index f67f667..a428862 100644
--- a/invenio.cfg
+++ b/invenio.cfg
@@ -14,13 +14,30 @@ from invenio_i18n import lazy_gettext as _
 def _(x):  # needed to avoid start time failure with lazy strings
     return x
 
-# Custom function and constant to manage secrets more easily
-def read_secrets():
-    import tomli
-    with open("secrets.toml", "rb") as f:
-        return tomli.load(f)
+# Custom functions and to get env variables more safely
+def init_env():
+    from py_dotenv_safe import config
 
-SECRETS = read_secrets()
+    options = {
+        "dotenvPath": ".env",
+        "examplePath": ".env.example",
+        "allowEmptyValues": False,
+    }
+
+    config(options)
+    print("Environment variables loaded successfully.")
+
+init_env()
+
+def get_env_variable(key):
+    import os
+
+    x = os.getenv(key)
+
+    if x is None:
+        raise EnvironmentError(f"Environment variable {key} not found")
+
+    return x
 
 # Flask
 # =====
@@ -35,7 +52,7 @@ SEND_FILE_MAX_AGE_DEFAULT = 300
 # SECURITY WARNING: keep the secret key used in production secret!
 # Do not commit it to a source code repository.
 # TODO: Set
-SECRET_KEY=SECRETS["SECRET_KEY"]
+SECRET_KEY=get_env_variable("INVENIO_SECRET_KEY")
 
 # Since HAProxy and Nginx route all requests no matter the host header
 # provided, the allowed hosts variable is set to localhost. In production it
@@ -154,8 +171,8 @@ FILES_REST_STORAGE_FACTORY='invenio_s3.s3fs_storage_factory'
 # Invenio-S3
 # ==========
 S3_ENDPOINT_URL='http://localhost:9000/'
-S3_ACCESS_KEY_ID='CHANGE_ME'
-S3_SECRET_ACCESS_KEY='CHANGE_ME'
+S3_ACCESS_KEY_ID=get_env_variable("S3_ACCESS_KEY_ID")
+S3_SECRET_ACCESS_KEY=get_env_variable("S3_SECRET_ACCESS_KEY")
 
 # Allow S3 endpoint in the CSP rules
 APP_DEFAULT_SECURE_HEADERS['content_security_policy']['default-src'].append(
diff --git a/prepare-env.sh b/prepare-env.sh
new file mode 100755
index 0000000..f35180f
--- /dev/null
+++ b/prepare-env.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+aws secretsmanager get-secret-value --secret-id Invenio | \
+  jq -r '.SecretString | fromjson | to_entries | .[] | .key + "=" + .value' > .env