diff --git a/git-wrapper.sh b/git-wrapper.sh
index cf32917..09f807d 100755
--- a/git-wrapper.sh
+++ b/git-wrapper.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+exec >>/tmp/checkout 2>&1
+
+echo -e "\n\n+++ $@"
+
 source /git-crypt-vault/env.sh
 
 $(dirname $0)/git.bin "$@"
@@ -7,7 +11,7 @@ EC=$?
 
 if [ "$1" = "checkout" -a -f ".git-crypt-key" -a ! "$GIT_CRYPT_RUNNING" = "true" ]; then
   export GIT_CRYPT_RUNNING=true
-  export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="${VAULT_ROLE_ID:-}")
+  export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="${VAULT_ROLE_ID}")
 
   tmpfile=$(mktemp)
   vault read -field=key "secret/git-crypt/$(<.git-crypt-key)" | base64 -d >${tmpfile}