diff --git a/playbooks/openstack/pre.yaml b/playbooks/openstack/pre.yaml
index 395819a..e85f1c8 100644
--- a/playbooks/openstack/pre.yaml
+++ b/playbooks/openstack/pre.yaml
@@ -8,6 +8,10 @@
     vault_role_name: "{{ zuul_vault.vault_role_name }}"
 
   roles:
+    # Create a new AppRole secret for the zuul-scs-jobs AppRole
+    - role: create-vault-approle-secret
+
+    # Unwrap secret and exchange it for the Vault access token
     - role: create-vault-approle-token
       vault_role_id: "{{ zuul_vault.vault_role_id }}"
       vault_wrapping_token_id: "{{ lookup('file', vault_secret_dest) }}"
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 5835248..d572c8d 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -50,6 +50,8 @@
     post-run: playbooks/openstack/post.yaml
     semaphores:
       - semaphore-openstack-access
+    allowed-projects:
+      - SovereignCloudStack/zuul-config
     vars:
       cloud: "gx-scs-zuul"
       vault_cloud_secret_path: "clouds/gx_scs_k8s_e2e"