diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml
index 4ac08e41..35002b3a 100644
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@@ -66,6 +66,35 @@ jobs:
         working-directory: infrastructure/terraform/shared
         run: terraform apply -auto-approve tfplan
 
+  # ============================================================
+  # Fetch DB credentials
+  # ============================================================
+  fetch_db:
+    needs: determine_stage
+    runs-on: ubuntu-latest
+    outputs:
+      db_username: ${{ steps.get_db.outputs.db_username }}
+      db_password: ${{ steps.get_db.outputs.db_password }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.DEV_AWS_REGION }}
+
+      - id: get_db
+        run: |
+          SECRET=$(aws secretsmanager get-secret-value \
+            --secret-id "${{ needs.determine_stage.outputs.stage }}/assessment_model/db_credentials" \
+            --query SecretString --output text)
+          echo "db_username=$(echo $SECRET | jq -r .db_assessment_model_username)" >> $GITHUB_OUTPUT
+          echo "db_password=$(echo $SECRET | jq -r .db_assessment_model_password)" >> $GITHUB_OUTPUT
+
+
   # ============================================================
   # 2️⃣ Build Address 2 UPRN image and Push
   # ============================================================
@@ -157,7 +186,7 @@ jobs:
   # Deploy Condition ETL Lambda
   # ============================================================
   condition_etl_lambda:
-    needs: [condition_etl_image, determine_stage]
+    needs: [condition_etl_image, fetch_db, determine_stage]
     uses: ./.github/workflows/_deploy_lambda.yml
     with:
       lambda_name: condition-etl
@@ -165,6 +194,10 @@ jobs:
       stage: ${{ needs.determine_stage.outputs.stage }}
       ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }}
       image_digest: ${{ needs.condition_etl_image.outputs.image_digest }}
+      environment_vars: |
+        DB_USERNAME=${{ needs.fetch_db.outputs.db_username }}
+        DB_PASSWORD=${{ needs.fetch_db.outputs.db_password }}
+        AWS_DEFAULT_REGION=${{ secrets.DEV_AWS_REGION }}
     secrets:
       AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}