diff --git a/services/terraform/remote/service_tunnelbroker.tf b/services/terraform/remote/service_tunnelbroker.tf
--- a/services/terraform/remote/service_tunnelbroker.tf
+++ b/services/terraform/remote/service_tunnelbroker.tf
@@ -18,6 +18,12 @@
   # utility locals
   tunnelbroker_docker_image = "${local.tunnelbroker_config.docker_image}:${local.tunnelbroker_config.docker_tag}"
   rabbitmq_password         = local.secrets.amqpPassword[local.environment]
+
+  apns_config_secret_name = "tunnelbroker/APNsConfig"
+}
+
+data "aws_secretsmanager_secret" "tunnelbroker_apns" {
+  name = local.apns_config_secret_name
 }
 
 # RabbitMQ
@@ -87,6 +93,12 @@
           value = local.identity_local_url
         }
       ]
+      secrets = [
+        {
+          name      = "APNS_CONFIG"
+          valueFrom = data.aws_secretsmanager_secret.tunnelbroker_apns.arn
+        }
+      ]
       logConfiguration = {
         "logDriver" = "awslogs"
         "options" = {
diff --git a/services/tunnelbroker/src/constants.rs b/services/tunnelbroker/src/constants.rs
--- a/services/tunnelbroker/src/constants.rs
+++ b/services/tunnelbroker/src/constants.rs
@@ -11,7 +11,7 @@
 pub const DDB_RMQ_MSG_PRIORITY: u8 = 10;
 pub const CLIENT_RMQ_MSG_PRIORITY: u8 = 1;
 pub const RMQ_CONSUMER_TAG: &str = "tunnelbroker";
-
+pub const ENV_APNS_CONFIG: &str = "APNS_CONFIG";
 pub const LOG_LEVEL_ENV_VAR: &str =
   tracing_subscriber::filter::EnvFilter::DEFAULT_ENV;