diff --git a/internal/credentials/credentials.go b/internal/credentials/credentials.go
index ffb3ba94a..53734337c 100644
--- a/internal/credentials/credentials.go
+++ b/internal/credentials/credentials.go
@@ -43,13 +43,6 @@ type Reader interface {
 	ReadCredentials(ctx context.Context, secretName string, credentials any) error
 }
 
-type Role int64
-
-const (
-	RoleReader Role = iota
-	RoleWriter
-)
-
 var ErrNotFound = errors.New("credentials not found")
 var ErrValidation = errors.New("credentials validation error")
 
@@ -78,3 +71,23 @@ func (a *APICreds) Validate() error {
 	}
 	return nil
 }
+
+type Role int64
+
+const (
+	RoleUnknown Role = iota
+	RoleReader
+	RoleWriter
+)
+
+// Implement string interface for Role
+func (r Role) String() string {
+	switch r {
+	case RoleReader:
+		return "reader"
+	case RoleWriter:
+		return "writer"
+	default:
+		return "unknown"
+	}
+}
diff --git a/internal/credentials/vault/keyval.go b/internal/credentials/vault/keyval.go
index 3b73b8b42..5cccbf0fd 100644
--- a/internal/credentials/vault/keyval.go
+++ b/internal/credentials/vault/keyval.go
@@ -111,7 +111,7 @@ func validateWriterClient(kv *vault.KVv2, pathPrefix string) error {
 		return err
 	}
 
-	if err := kv.DeleteMetadata(ctx, healthCheckSecret); err != nil {
+	if err := kv.DeleteMetadata(ctx, keyPath); err != nil {
 		return fmt.Errorf("deleting health check secret: %w", err)
 	}
 
diff --git a/internal/credentials/vault/keyval_test.go b/internal/credentials/vault/keyval_test.go
index 4f681a07d..0501caa53 100644
--- a/internal/credentials/vault/keyval_test.go
+++ b/internal/credentials/vault/keyval_test.go
@@ -42,6 +42,7 @@ func (s *testSuite) TestNewManager() {
 		connection    string
 		token         string
 		path          string
+		prefix        string
 		expectedError bool
 		role          credentials.Role
 	}{
@@ -49,14 +50,16 @@ func (s *testSuite) TestNewManager() {
 		{name: "missing address", token: defaultToken, expectedError: true},
 		{name: "invalid address reader", token: defaultToken, connection: "http://non-existing:5000", expectedError: true, role: credentials.RoleReader},
 		{name: "invalid address writer", token: defaultToken, connection: "http://non-existing:5000", expectedError: true},
-		{name: "invalid mount path", token: defaultToken, connection: s.connectionString, path: "non-existing", expectedError: true, role: credentials.RoleWriter},
+		{name: "invalid mount path", token: defaultToken, connection: s.connectionString, path: "non-existing", expectedError: true},
 		{name: "valid connection reader", connection: s.connectionString, token: defaultToken, role: credentials.RoleReader},
+		{name: "valid connection reader with prefix", connection: s.connectionString, token: defaultToken, role: credentials.RoleReader, prefix: "prefix"},
 		{name: "valid connection", connection: s.connectionString, token: defaultToken},
+		{name: "valid connection with prefix", connection: s.connectionString, token: defaultToken, prefix: "prefix"},
 	}
 
 	for _, tc := range testCases {
 		s.Run(tc.name, func() {
-			opts := &vault.NewManagerOpts{AuthToken: tc.token, Address: tc.connection, MountPath: tc.path, Role: tc.role}
+			opts := &vault.NewManagerOpts{AuthToken: tc.token, Address: tc.connection, MountPath: tc.path, Role: tc.role, SecretPrefix: tc.prefix}
 			_, err := vault.NewManager(opts)
 			if tc.expectedError {
 				assert.Error(err)