diff --git a/fence/config-default.yaml b/fence/config-default.yaml
index 8f79fdebf..032293999 100755
--- a/fence/config-default.yaml
+++ b/fence/config-default.yaml
@@ -679,6 +679,7 @@ INDEXD: null
 # this is the username which fence uses to make authenticated requests to indexd
 INDEXD_USERNAME: 'fence'
 # this is the password which fence uses to make authenticated requests to indexd
+# can also be set via env var INDEXD_PASSWORD
 INDEXD_PASSWORD: ''
 
 # //////////////////////////////////////////////////////////////////////////////////////
diff --git a/fence/config.py b/fence/config.py
index 1c7ff15b9..e643a758c 100644
--- a/fence/config.py
+++ b/fence/config.py
@@ -60,6 +60,17 @@ def post_process(self):
                 "Environment variable 'DB' empty or not set: using 'DB' field from config file"
             )
 
+        # allow setting INDEXD_PASSWORD via env var
+        if os.environ.get("INDEXD_PASSWORD"):
+            logger.info(
+                "Found environment variable 'INDEXD_PASSWORD': overriding 'INDEXD_PASSWORD' field from config file"
+            )
+            self["INDEXD_PASSWORD"] = os.environ["INDEXD_PASSWORD"]
+        else:
+            logger.debug(
+                "Environment variable 'INDEXD_PASSWORD' empty or not set: using 'INDEXD_PASSWORD' field from config file"
+            )
+
         if "ROOT_URL" not in self._configs and "BASE_URL" in self._configs:
             url = urllib.parse.urlparse(self._configs["BASE_URL"])
             self._configs["ROOT_URL"] = "{}://{}".format(url.scheme, url.netloc)