diff --git a/.github/workflows/build-image-on-ecr-with-vault.yml b/.github/workflows/build-image-on-ecr-with-vault.yml
index f0ff7b7..a383f35 100644
--- a/.github/workflows/build-image-on-ecr-with-vault.yml
+++ b/.github/workflows/build-image-on-ecr-with-vault.yml
@@ -25,6 +25,9 @@ on:
         required: false
         type: string
         default: .
+      WORKDIR:
+        required: false
+        type: string
     
 jobs:   
   build_docker_image:
@@ -46,6 +49,11 @@ jobs:
     - name: Login ECR registry
       run: aws ecr get-login-password --region ${{ inputs.AWS_REGION }} | docker login --username AWS --password-stdin ${{ inputs.BASE_REGISTRY_PATH }}/${{ inputs.PROJECT_NAME }}
     - name: Build the Docker image
+      if: ${{ inputs.WORKDIR == '' }}
+      run: docker build -t ${{ inputs.BASE_REGISTRY_PATH }}/${{ inputs.PROJECT_NAME }}:${{ github.sha }}-${{ github.ref_name }} ${{ inputs.CUSTOM_DOCKER_OPTIONS }}
+    - name: Build the Docker image in specific workdir
+      if: ${{ inputs.WORKDIR != '' }}
+      working-directory: ./${{ inputs.WORKDIR }}
       run: docker build -t ${{ inputs.BASE_REGISTRY_PATH }}/${{ inputs.PROJECT_NAME }}:${{ github.sha }}-${{ github.ref_name }} ${{ inputs.CUSTOM_DOCKER_OPTIONS }}
     - name: Tag image with additional custom tag
       if: ${{ inputs.CUSTOM_IMAGE_TAG != '' }}
diff --git a/.github/workflows/cloudfront-cache-invalidation.yml b/.github/workflows/cloudfront-cache-invalidation.yml
index bf383c6..0822a92 100644
--- a/.github/workflows/cloudfront-cache-invalidation.yml
+++ b/.github/workflows/cloudfront-cache-invalidation.yml
@@ -1,17 +1,37 @@
 name: Cloudfront cache invalidation
 
 on:
-  inputs:
-    DISTRIBUTION_ID:
-      required: true
-      type: string
-    AWS_REGION:
-      required: true
-      type: string
+  workflow_call:
+    secrets:
+      vault_token:
+        required: true
+    inputs:
+      DISTRIBUTION_ID:
+        required: true
+        type: string
+      VAULT_AWS_NAME:
+        required: false
+        type: string
+        default: aws_devops_tools
+      AWS_REGION:
+        required: true
+        type: string
 
 jobs:
   cloudfront-cache-invalidation:
     runs-on: ubuntu-latest
     steps:
+      - name: Import Secrets
+        uses: hashicorp/vault-action@v2.4.2
+        with:
+          url: https://vault.crispybacon.it
+          token: ${{ secrets.vault_token }}
+          secrets: |
+            ${{ inputs.VAULT_AWS_NAME }}/creds/github-pipeline-access-role access_key | AWS_ACCESS_KEY_ID ;
+            ${{ inputs.VAULT_AWS_NAME }}/creds/github-pipeline-access-role secret_key | AWS_SECRET_ACCESS_KEY ;
+
+      - name: Wait for IAM credentials to be ready
+        run: sleep 10
+
       - name: cache invalidation on distribution ID ${{ inputs.DISTRIBUTION_ID }}
         run: aws cloudfront create-invalidation --distribution-id ${{ inputs.DISTRIBUTION_ID }} --paths "/*" "/**/*" --region ${{ inputs.AWS_REGION }}