diff --git a/ec2-launch-template.tf b/ec2-launch-template.tf
index 22a162d..53329fc 100644
--- a/ec2-launch-template.tf
+++ b/ec2-launch-template.tf
@@ -33,7 +33,7 @@ resource "aws_launch_template" "vault_instance" {
     { "Project" = var.main_project_tag }
   )
 
-  user_data = base64encode(templatefile("${path.module}/files/userdata.sh", {
+  user_data = base64encode(templatefile("${path.module}/files/userdata_template.sh", {
     VAULT_VERSION = var.vault_version
     VAULT_CLUSTER_NAME = var.main_project_tag
     VAULT_DNS = var.domain_name
diff --git a/files/userdata.sh b/files/userdata_template.sh
similarity index 100%
rename from files/userdata.sh
rename to files/userdata_template.sh
diff --git a/files/vault_credentials_template.sh b/files/vault_credentials_template.sh
new file mode 100644
index 0000000..6dba386
--- /dev/null
+++ b/files/vault_credentials_template.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# This grabs the encrypted credentials file and decrypts it.
+
+aws --profile ${AWS_PROFILE} --region ${AWS_REGION} s3 cp s3://${AWS_S3_BUCKET}/vault_creds_encrypted ./tmp/vault_creds_encrypted
+aws --profile ${AWS_PROFILE} --region ${AWS_REGION} kms decrypt --key-id ${AWS_KMS_KEY_ID} --ciphertext-blob fileb://tmp/vault_creds_encrypted --output text --query Plaintext | base64 --decode > ./tmp/vault_creds_decrypted
diff --git a/outputs.tf b/outputs.tf
index c4793e4..ce42c29 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,6 +1,6 @@
 # Here for debugging the compiled userdata.sh file.
-resource "local_file" "user_data_compiled" {
-  content = templatefile("${path.module}/files/userdata.sh", {
+resource "local_file" "userdata_compiled" {
+  content = templatefile("${path.module}/files/userdata_template.sh", {
     VAULT_VERSION = var.vault_version
     VAULT_CLUSTER_NAME = var.main_project_tag
     VAULT_DNS = var.domain_name
@@ -9,5 +9,16 @@ resource "local_file" "user_data_compiled" {
     VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name....
     VAULT_S3_BUCKET_NAME = aws_s3_bucket.vault_data.id
   })
-  filename = "${path.module}/files/user_data_compiled.sh"
+  filename = "${path.module}/tmp/userdata_compiled.sh"
+}
+
+# Output the vault credentials script
+resource "local_file" "vault_credentials" {
+  content = templatefile("${path.module}/files/vault_credentials_template.sh", {
+    AWS_PROFILE = var.aws_profile
+    AWS_REGION = data.aws_region.current.name
+    AWS_S3_BUCKET = aws_s3_bucket.vault_data.id
+    AWS_KMS_KEY_ID = aws_kms_key.seal.key_id
+  })
+  filename = "${path.module}/tmp/vault_credentials.sh"
 }
\ No newline at end of file