diff --git a/controlpanel/api/cluster.py b/controlpanel/api/cluster.py
index 23e5b5dda..bcc068801 100644
--- a/controlpanel/api/cluster.py
+++ b/controlpanel/api/cluster.py
@@ -388,6 +388,8 @@ class App(EntityResource):
     AUTH0_CONNECTIONS = "AUTH0_CONNECTIONS"
     AUTHENTICATION_REQUIRED = "AUTHENTICATION_REQUIRED"
     AUTH0_PASSWORDLESS = "AUTH0_PASSWORDLESS"
+    APP_ROLE_ARN = "APP_ROLE_ARN"
+    DATA_ACCOUNT_ID = 'DATA_ACCOUNT_ID'
 
     def __init__(self, app, github_api_token=None, auth0_instance=None):
         super(App, self).__init__()
@@ -411,7 +413,9 @@ def create_or_update_secrets(self, env_name, secret_data):
 
     def _create_secrets(self, env_name, client=None):
         secret_data: dict = {
-            App.IP_RANGES: self.app.env_allowed_ip_ranges(env_name=env_name)
+            App.IP_RANGES: self.app.env_allowed_ip_ranges(env_name=env_name),
+            App.APP_ROLE_ARN: self.app.iam_role_arn,
+            App.DATA_ACCOUNT_ID: settings.AWS_DATA_ACCOUNT_ID
         }
         if client:
             secret_data[App.AUTH0_CLIENT_ID] = client["client_id"]
@@ -651,12 +655,13 @@ def get_env_vars(self, env_name):
         return app_env_vars
 
     def create_auth_settings(
-            self, env_name, disable_authentication=False, connections=None, app_domain=None
+        self, env_name, disable_authentication=False, connections=None, app_domain=None
     ):
         client = None
         group = None
-        connections = connections or \
-                      {auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION: {}}
+        if connections is None:
+            connections = {auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION: {}}
+
         if not disable_authentication:
             client, group = self._get_auth0_instance().setup_auth0_client(
                 client_name=self.app.auth0_client_name(env_name),
@@ -665,7 +670,8 @@ def create_auth_settings(
                 app_domain=app_domain
             )
             self.app.save_auth_settings(
-                env_name=env_name, client=client, group=group)
+                env_name=env_name, client=client, group=group
+            )
         self._create_secrets(env_name, client=client)
         self._create_env_vars(
             env_name,
diff --git a/tests/api/cluster/test_app.py b/tests/api/cluster/test_app.py
index bafa396f1..7530b755d 100644
--- a/tests/api/cluster/test_app.py
+++ b/tests/api/cluster/test_app.py
@@ -4,6 +4,7 @@
 
 # Third-party
 import pytest
+from django.conf import settings
 
 # First-party/Local
 from controlpanel.api import cluster, models
@@ -156,5 +157,22 @@ def test_update_auth_connections(app, ExtendedAuth0):
             existing_conns='github')
 
 
+@patch("controlpanel.api.models.App.env_allowed_ip_ranges", new=MagicMock(return_value="1.2.3"))
+def test_create_secrets(app):
+    app_cluster = cluster.App(app)
+    secrets = {
+        app_cluster.IP_RANGES: "1.2.3",
+        app_cluster.APP_ROLE_ARN: app.iam_role_arn,
+        app_cluster.DATA_ACCOUNT_ID: settings.AWS_DATA_ACCOUNT_ID
+    }
+    with patch.object(app_cluster, "create_or_update_secrets"):
+        app_cluster._create_secrets(env_name="dev", client=None)
+        app_cluster.create_or_update_secrets.assert_called_once_with(
+            env_name="dev",
+            secret_data=secrets
+        )
+
+
+# TODO can this be removed?
 mock_ingress = MagicMock(name="Ingress")
 mock_ingress.spec.rules = [MagicMock(name="Rule", host="test-app.example.com")]