diff --git a/Cargo.lock b/Cargo.lock
index ce6bfeb..b641fe1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -871,6 +871,7 @@ dependencies = [
  "schemars",
  "serde",
  "serde_json",
+ "thiserror",
  "tokio",
 ]
 
diff --git a/Cargo.toml b/Cargo.toml
index 926dc9e..c9882b1 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -16,3 +16,4 @@ tokio = { version = "1.28.0", features = ["full"] }
 kube = { version = "0.82.2", features = ["runtime", "derive"] }
 k8s-openapi = { version = "0.18.0", features = ["v1_26"] } # TODO : switch to v1_27
 futures = "0.3.28"
+thiserror = "1.0.40"
diff --git a/src/constants.rs b/src/constants.rs
new file mode 100644
index 0000000..53f5800
--- /dev/null
+++ b/src/constants.rs
@@ -0,0 +1,6 @@
+//! # Application constants
+pub const SECRET_MINIO_INSTANCE_ACCESS_KEY: &str = "accessKey";
+pub const SECRET_MINIO_INSTANCE_SECRET_KEY: &str = "secretKey";
+
+pub const SECRET_MINIO_BUCKET_ACCESS_KEY: &str = "accessKey";
+pub const SECRET_MINIO_BUCKET_SECRET_KEY: &str = "secretKey";
\ No newline at end of file
diff --git a/src/crd.rs b/src/crd.rs
index 27ce17f..5f0d147 100644
--- a/src/crd.rs
+++ b/src/crd.rs
@@ -43,7 +43,7 @@ pub struct MinioBucketSpec {
     #[serde(default)]
     pub anonymous_read_access: bool,
     #[serde(default)]
-    versioning: bool,
-    quota: Option<usize>,
-    retention: Option<BucketRetention>,
+    pub versioning: bool,
+    pub quota: Option<usize>,
+    pub retention: Option<BucketRetention>,
 }
diff --git a/src/lib.rs b/src/lib.rs
index b89e978..2aab6f6 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1 +1,4 @@
+pub mod constants;
 pub mod crd;
+pub mod secrets;
+pub mod minio;
\ No newline at end of file
diff --git a/src/main.rs b/src/main.rs
index df7d984..c8e9878 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,7 +1,11 @@
 use futures::TryStreamExt;
+use k8s_openapi::api::core::v1::Secret;
 use kube::{Api, Client};
 use kube::runtime::{watcher, WatchStreamExt};
-use minio_operator::crd::MinioBucket;
+use minio_operator::constants::{SECRET_MINIO_INSTANCE_ACCESS_KEY, SECRET_MINIO_INSTANCE_SECRET_KEY};
+use minio_operator::crd::{MinioBucket, MinioInstance};
+use minio_operator::minio::MinioService;
+use minio_operator::secrets::read_secret_str;
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
@@ -27,7 +31,23 @@ async fn main() -> anyhow::Result<()> {
 
 
 /// Make sure a bucket is compliant with a desired configuration
-async fn apply_bucket(b: &MinioBucket, _client: &Client) -> anyhow::Result<()> {
+async fn apply_bucket(b: &MinioBucket, client: &Client) -> anyhow::Result<()> {
     log::info!("Apply configuration for bucket {}", b.spec.name);
+
+    // Get instance information
+    let instances: Api<MinioInstance> = Api::default_namespaced(client.clone());
+    let instance = instances.get(&b.spec.instance).await?;
+
+    // Get instance configuration
+    let secrets: Api<Secret> = Api::default_namespaced(client.clone());
+    let instance_secret = secrets.get(&instance.spec.credentials).await?;
+    let service = MinioService {
+        hostname: instance.spec.endpoint,
+        access_key: read_secret_str(&instance_secret, SECRET_MINIO_INSTANCE_ACCESS_KEY)?,
+        secret_key: read_secret_str(&instance_secret, SECRET_MINIO_INSTANCE_SECRET_KEY)?,
+    };
+    
+    println!("{:?}", service);
+
     Ok(())
 }
\ No newline at end of file
diff --git a/src/minio.rs b/src/minio.rs
new file mode 100644
index 0000000..00a6cb3
--- /dev/null
+++ b/src/minio.rs
@@ -0,0 +1,6 @@
+#[derive(Debug, Clone)]
+pub struct MinioService {
+    pub hostname: String,
+    pub access_key: String,
+    pub secret_key: String,
+}
\ No newline at end of file
diff --git a/src/secrets.rs b/src/secrets.rs
new file mode 100644
index 0000000..fac72e6
--- /dev/null
+++ b/src/secrets.rs
@@ -0,0 +1,20 @@
+use k8s_openapi::api::core::v1::Secret;
+
+#[derive(thiserror::Error, Debug)]
+enum SecretError {
+    #[error("Secret has no data!")]
+    MissingData,
+    #[error("The key '{0}' is not present in the secret!")]
+    MissingKey(String),
+}
+
+/// Attempt to read a value contained in a secret. Returns an error in case
+/// of failure
+pub fn read_secret_str(s: &Secret, key: &str) -> anyhow::Result<String> {
+    let data =  s.data.as_ref().ok_or(SecretError::MissingData)?;
+
+    let value = data.get(key)
+        .ok_or(SecretError::MissingKey(key.to_string()))?;
+
+    Ok(String::from_utf8(value.0.clone())?)
+}
\ No newline at end of file
diff --git a/test/first-test.yaml b/test/first-test.yaml
index 46f19ed..37cb409 100644
--- a/test/first-test.yaml
+++ b/test/first-test.yaml
@@ -4,8 +4,8 @@ metadata:
   name: minio-root
 type: Opaque
 data:
-  accessKey: bWluaW8=
-  secretKey: bWluaW8=
+  accessKey: bWluaW9hZG1pbg==
+  secretKey: bWluaW9hZG1pbg==
 ---
 apiVersion: "communiquons.org/v1"
 kind: MinioInstance
diff --git a/yaml/minio-bucket.yaml b/yaml/minio-bucket.yaml
index 7f74c7f..d2067f6 100644
--- a/yaml/minio-bucket.yaml
+++ b/yaml/minio-bucket.yaml
@@ -34,7 +34,7 @@ spec:
                   type: string
                   example: mybucket
                 secret:
-                  description: The name of the secret that will receive an access key & token with write access on the bucket
+                  description: The name of the secret that will receive an access key & a secret key with write access on the bucket
                   type: string
                   example: secret-name
                 anonymous_read_access: