diff --git a/DEPENDENCIES b/DEPENDENCIES
index 82349172..55899476 100644
--- a/DEPENDENCIES
+++ b/DEPENDENCIES
@@ -13,11 +13,15 @@ maven/mavencentral/com.github.docker-java/docker-java-transport-zerodep/3.3.4, A
 maven/mavencentral/com.github.docker-java/docker-java-transport/3.3.4, Apache-2.0, approved, #7942
 maven/mavencentral/com.github.stephenc.jcip/jcip-annotations/1.0-1, Apache-2.0, approved, CQ21949
 maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, Apache-2.0, approved, #20
+maven/mavencentral/com.google.code.gson/gson/2.10.1, Apache-2.0, approved, #6159
+maven/mavencentral/com.google.crypto.tink/tink/1.12.0, Apache-2.0, approved, #12041
+maven/mavencentral/com.google.errorprone/error_prone_annotations/2.22.0, Apache-2.0, approved, #10661
 maven/mavencentral/com.google.errorprone/error_prone_annotations/2.7.1, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, CQ22654
 maven/mavencentral/com.google.guava/guava/31.0.1-jre, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657
 maven/mavencentral/com.google.j2objc/j2objc-annotations/1.3, Apache-2.0, approved, CQ21195
+maven/mavencentral/com.google.protobuf/protobuf-java/3.24.3, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.37.3, Apache-2.0, approved, #11701
 maven/mavencentral/com.puppycrawl.tools/checkstyle/10.0, LGPL-2.1-or-later, approved, #7936
 maven/mavencentral/com.squareup.okhttp3/okhttp-dnsoverhttps/4.12.0, Apache-2.0, approved, #11159
diff --git a/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtension.java b/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtension.java
index 5939547f..feac7887 100644
--- a/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtension.java
+++ b/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtension.java
@@ -15,29 +15,20 @@
 package org.eclipse.edc.vault.aws;
 
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
-import org.eclipse.edc.runtime.metamodel.annotation.Provides;
+import org.eclipse.edc.runtime.metamodel.annotation.Provider;
 import org.eclipse.edc.runtime.metamodel.annotation.Setting;
-import org.eclipse.edc.spi.EdcException;
-import org.eclipse.edc.spi.security.CertificateResolver;
-import org.eclipse.edc.spi.security.PrivateKeyResolver;
 import org.eclipse.edc.spi.security.Vault;
-import org.eclipse.edc.spi.security.VaultCertificateResolver;
-import org.eclipse.edc.spi.security.VaultPrivateKeyResolver;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
 
-import static org.eclipse.edc.util.configuration.ConfigurationFunctions.propOrEnv;
-import static org.eclipse.edc.util.string.StringUtils.isNullOrEmpty;
-
 /**
  * This extension registers an implementation of the Vault interface for AWS Secrets Manager.
  * It also registers a VaultPrivateKeyResolver and VaultCertificateResolver, which store and retrieve certificates
  * using the AWS Secretes Manager Vault implementation.
  * The extension requires the "edc.vault.aws.region" parameter to be set to the AWS region in which secrets should be stored.
  */
-@Provides({ Vault.class, PrivateKeyResolver.class, CertificateResolver.class })
 @Extension(value = org.eclipse.edc.vault.aws.AwsSecretsManagerVaultExtension.NAME)
 public class AwsSecretsManagerVaultExtension implements ServiceExtension {
     public static final String NAME = "AWS Secrets Manager Vault";
@@ -50,17 +41,14 @@ public String name() {
         return NAME;
     }
 
-    @Override
-    public void initialize(ServiceExtensionContext context) {
-        var vaultRegion = getMandatorySetting(context, VAULT_AWS_REGION);
+    @Provider
+    public Vault createVault(ServiceExtensionContext context) {
+        var vaultRegion = context.getConfig().getString(VAULT_AWS_REGION);
 
         var smClient = buildSmClient(vaultRegion);
-        var vault = new AwsSecretsManagerVault(smClient, context.getMonitor(),
-                new AwsSecretsManagerVaultDefaultSanitationStrategy(context.getMonitor()));
 
-        context.registerService(Vault.class, vault);
-        context.registerService(PrivateKeyResolver.class, new VaultPrivateKeyResolver(vault));
-        context.registerService(CertificateResolver.class, new VaultCertificateResolver(vault));
+        return new AwsSecretsManagerVault(smClient, context.getMonitor(),
+                new AwsSecretsManagerVaultDefaultSanitationStrategy(context.getMonitor()));
     }
 
     private SecretsManagerClient buildSmClient(String vaultRegion) {
@@ -69,15 +57,4 @@ private SecretsManagerClient buildSmClient(String vaultRegion) {
         return builder.build();
     }
 
-    private String getMandatorySetting(ServiceExtensionContext context, String setting) {
-        var value = context.getSetting(setting, null);
-        if (isNullOrEmpty(value)) {
-            value = propOrEnv(setting, null);
-            if (isNullOrEmpty(value)) {
-                throw new EdcException(String.format("'%s' must be supplied but was null", setting));
-            }
-        }
-        return value;
-    }
-
 }
diff --git a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtensionTest.java b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtensionTest.java
index 437d2c0e..6fbd43e4 100644
--- a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtensionTest.java
+++ b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtensionTest.java
@@ -14,9 +14,9 @@
 
 package org.eclipse.edc.vault.aws;
 
-import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.edc.spi.system.configuration.Config;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 
@@ -33,16 +33,18 @@ void configOptionRegionNotProvided_shouldThrowException() {
         ServiceExtensionContext invalidContext = mock(ServiceExtensionContext.class);
         when(invalidContext.getMonitor()).thenReturn(monitor);
 
-        Assertions.assertThrows(EdcException.class, () -> extension.initialize(invalidContext));
+        Assertions.assertThrows(NullPointerException.class, () -> extension.createVault(invalidContext));
     }
 
     @Test
     void configOptionRegionProvided_shouldNotThrowException() {
         ServiceExtensionContext validContext = mock(ServiceExtensionContext.class);
-        when(validContext.getSetting("edc.vault.aws.region", null)).thenReturn("eu-west-1");
+        Config cfg = mock();
+        when(cfg.getString("edc.vault.aws.region")).thenReturn("eu-west-1");
+        when(validContext.getConfig()).thenReturn(cfg);
         when(validContext.getMonitor()).thenReturn(monitor);
 
-        extension.initialize(validContext);
+        extension.createVault(validContext);
     }
 
 }