diff --git a/README.md b/README.md
index 9fd12325a9f80e17da24beb53c836ad341ec14b1..d0d92180bbac7c32ac91c969958214c788158248 100644
--- a/README.md
+++ b/README.md
@@ -65,7 +65,7 @@ but for the time being, this is what we're stuck with.
 The very first time you run terraform on your system, you'll have to init it:
 
     cd tf-stage1  # and also tf-stage2
-    terraform init -backend-config="conn_str=postgres://terraform:$(../misc/get_key.py group_vars/all/vault_terraform.yml vault_terraform_db_password)@state.archlinux.org"
+    terraform init -backend-config="conn_str=postgres://terraform:$(../misc/get_key.py ../group_vars/all/vault_terraform.yml vault_terraform_db_password)@state.archlinux.org"
 
 After making changes to the infrastructure in `tf-stage1/archlinux.tf`, run
 
diff --git a/misc/get_key.py b/misc/get_key.py
index 572b2f76a67668e896c38daf5434a59720f758b6..6a9629e5246684eed705d415319e6e2957b11b97 100755
--- a/misc/get_key.py
+++ b/misc/get_key.py
@@ -40,10 +40,9 @@ with chdir(root):
 
 
 def load_vault(path):
-    with chdir(root):
-        return yaml.load(
-            vault_lib.decrypt(Path(path).read_text()), Loader=yaml.SafeLoader
-        )
+    return yaml.load(
+        vault_lib.decrypt(Path(path).read_text()), Loader=yaml.SafeLoader
+    )
 
 
 class OutputFormat(str, Enum):
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index fd139367e4091b5d529d9ac0efcc01ae0037af69..e492af1ce66b23331525fcbe59c9cc6843ee969b 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -6,7 +6,7 @@ terraform {
 
 data "external" "vault_hetzner" {
   program = [
-    "${path.module}/../misc/get_key.py", "misc/vault_hetzner.yml",
+    "${path.module}/../misc/get_key.py", "${path.module}/../misc/vault_hetzner.yml",
     "hetzner_cloud_api_key",
     "hetzner_dns_api_key",
     "--format", "json"
diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 7b64ad1c30b76ea4fa4f111a8e40845d167c2084..2f30803767b540cb25afcc06f8a0c2ac42a7008a 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -5,7 +5,7 @@ terraform {
 }
 
 data "external" "vault_keycloak" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml",
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_keycloak.yml",
     "vault_keycloak_admin_user",
     "vault_keycloak_admin_password",
     "vault_keycloak_smtp_user",
@@ -14,33 +14,33 @@ data "external" "vault_keycloak" {
 }
 
 data "external" "vault_google" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml",
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_google.yml",
     "vault_google_recaptcha_site_key",
     "vault_google_recaptcha_secret_key",
   "--format", "json"]
 }
 
 data "external" "vault_github" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_github.yml",
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_github.yml",
     "vault_github_oauth_app_client_id",
     "vault_github_oauth_app_client_secret",
   "--format", "json"]
 }
 
 data "external" "vault_monitoring" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_monitoring.yml",
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_monitoring.yml",
     "vault_monitoring_grafana_client_secret",
   "--format", "json"]
 }
 
 data "external" "vault_hedgedoc" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_hedgedoc.yml",
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_hedgedoc.yml",
     "vault_hedgedoc_client_secret",
   "--format", "json"]
 }
 
 data "external" "vault_matrix" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_matrix.yml",
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_matrix.yml",
     "vault_matrix_openid_client_secret",
   "--format", "json"]
 }
diff --git a/tf-stage2/uptimerobot.tf b/tf-stage2/uptimerobot.tf
index 326fb0dcf3846a54d6cc6dedf289fa5eeb7a3876..ef46d2c5718fc203fd89e77cd79e657a8c56ce8e 100644
--- a/tf-stage2/uptimerobot.tf
+++ b/tf-stage2/uptimerobot.tf
@@ -3,7 +3,7 @@
 # https://github.com/louy/terraform-provider-uptimerobot/issues/82
 
 data "external" "vault_uptimerobot" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_uptimerobot.yml",
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_uptimerobot.yml",
     "vault_uptimerobot_api_key",
     "vault_uptimerobot_alert_contact",
   "--format", "json"]