diff --git a/api/environments/environment_handler.go b/api/environments/environment_handler.go
index aceed287..c0272360 100644
--- a/api/environments/environment_handler.go
+++ b/api/environments/environment_handler.go
@@ -29,6 +29,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/client-go/kubernetes"
 )
 
@@ -188,7 +190,12 @@ func (eh EnvironmentHandler) GetEnvironment(ctx context.Context, appName, envNam
 	if err != nil {
 		return nil, err
 	}
-	secretList, err := kubequery.GetSecretsForEnvironment(ctx, eh.accounts.ServiceAccount.Client, appName, envName)
+
+	noJobPayloadReq, err := labels.NewRequirement(kube.RadixSecretTypeLabel, selection.NotEquals, []string{string(kube.RadixSecretJobPayload)})
+	if err != nil {
+		return nil, err
+	}
+	secretList, err := kubequery.GetSecretsForEnvironment(ctx, eh.accounts.ServiceAccount.Client, appName, envName, *noJobPayloadReq)
 	if err != nil {
 		return nil, err
 	}
diff --git a/api/kubequery/secret.go b/api/kubequery/secret.go
index ad26a80f..1e7e8b3b 100644
--- a/api/kubequery/secret.go
+++ b/api/kubequery/secret.go
@@ -6,13 +6,16 @@ import (
 	operatorutils "github.com/equinor/radix-operator/pkg/apis/utils"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
 )
 
 // GetSecretsForEnvironment returns all Secrets for the specified application and environment.
-func GetSecretsForEnvironment(ctx context.Context, client kubernetes.Interface, appName, envName string) ([]corev1.Secret, error) {
+func GetSecretsForEnvironment(ctx context.Context, client kubernetes.Interface, appName, envName string, req ...labels.Requirement) ([]corev1.Secret, error) {
+	sel := labels.NewSelector().Add(req...)
+
 	ns := operatorutils.GetEnvironmentNamespace(appName, envName)
-	secrets, err := client.CoreV1().Secrets(ns).List(ctx, metav1.ListOptions{})
+	secrets, err := client.CoreV1().Secrets(ns).List(ctx, metav1.ListOptions{LabelSelector: sel.String()})
 	if err != nil {
 		return nil, err
 	}
diff --git a/api/kubequery/secret_test.go b/api/kubequery/secret_test.go
index 424e0785..8b51eab4 100644
--- a/api/kubequery/secret_test.go
+++ b/api/kubequery/secret_test.go
@@ -4,10 +4,13 @@ import (
 	"context"
 	"testing"
 
+	"github.com/equinor/radix-operator/pkg/apis/kube"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
 	kubefake "k8s.io/client-go/kubernetes/fake"
 )
 
@@ -15,9 +18,14 @@ func Test_GetSecretsForEnvironment(t *testing.T) {
 	matched1 := corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "matched1", Namespace: "app1-env1"}}
 	matched2 := corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "matched2", Namespace: "app1-env1"}}
 	unmatched := corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "unmatched", Namespace: "app2-env1"}}
-	client := kubefake.NewSimpleClientset(&matched1, &matched2, &unmatched)
+	jobPayload := corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "payload", Namespace: "app1-env1", Labels: map[string]string{kube.RadixSecretTypeLabel: string(kube.RadixSecretJobPayload)}}}
+	client := kubefake.NewSimpleClientset(&matched1, &matched2, &unmatched, &jobPayload)
+
 	expected := []corev1.Secret{matched1, matched2}
-	actual, err := GetSecretsForEnvironment(context.Background(), client, "app1", "env1")
+	noJobPayloadReq, err := labels.NewRequirement(kube.RadixSecretTypeLabel, selection.NotEquals, []string{string(kube.RadixSecretJobPayload)})
+	require.NoError(t, err)
+
+	actual, err := GetSecretsForEnvironment(context.Background(), client, "app1", "env1", *noJobPayloadReq)
 	require.NoError(t, err)
 	assert.ElementsMatch(t, expected, actual)
 }