diff --git a/.ci/run.sh b/.ci/run.sh
index f0a18d929b511c..88ce0bd9986a19 100755
--- a/.ci/run.sh
+++ b/.ci/run.sh
@@ -5,6 +5,7 @@ set -e
 # move to Kibana root
 cd "$(dirname "$0")/.."
 
+source src/dev/ci_setup/load_env_keys.sh
 source src/dev/ci_setup/extract_bootstrap_cache.sh
 source src/dev/ci_setup/setup.sh
 source src/dev/ci_setup/checkout_sibling_es.sh
diff --git a/src/dev/ci_setup/load_env_keys.sh b/src/dev/ci_setup/load_env_keys.sh
new file mode 100644
index 00000000000000..af599e0712f351
--- /dev/null
+++ b/src/dev/ci_setup/load_env_keys.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -z "$VAULT_SECRET_ID" ]; then
+  echo ""
+  echo ""
+  echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
+  echo "    VAULT_SECRET_ID not set, not loading tokens into env";
+  echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
+  echo ""
+  echo ""
+else
+  # load shared helpers to get `retry` function
+  source /usr/local/bin/bash_standard_lib.sh
+
+  set +x
+
+  # export after define to avoid https://github.com/koalaman/shellcheck/wiki/SC2155
+  VAULT_TOKEN=$(retry 5 vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID" secret_id="$VAULT_SECRET_ID")
+  export VAULT_TOKEN
+
+  # Set GITHUB_TOKEN for reporting test failures
+  GITHUB_TOKEN=$(retry 5 vault read -field=github_token secret/kibana-issues/dev/kibanamachine)
+  export GITHUB_TOKEN
+
+  KIBANA_CI_REPORTER_KEY=$(retry 5 vault read -field=value secret/kibana-issues/dev/kibanamachine-reporter)
+  export KIBANA_CI_REPORTER_KEY
+
+  PERCY_TOKEN=$(retry 5 vault read -field=value secret/kibana-issues/dev/percy)
+  export PERCY_TOKEN
+
+  # remove vault related secrets
+  unset VAULT_ROLE_ID VAULT_SECRET_ID VAULT_TOKEN VAULT_ADDR
+fi