diff --git a/ee/lib/ee/gitlab/ci/config/entry/job.rb b/ee/lib/ee/gitlab/ci/config/entry/job.rb
index 6afc37267bc053f341111575a875185d1e69a1ac..44767353821a7ee4048bd3da80c115def463a9ac 100644
--- a/ee/lib/ee/gitlab/ci/config/entry/job.rb
+++ b/ee/lib/ee/gitlab/ci/config/entry/job.rb
@@ -10,6 +10,12 @@ module EE
             extend ::Gitlab::Utils::Override
 
             prepended do
+              attributes :secrets
+
+              validations do
+                validates :secrets, absence: { message: 'feature is disabled' }, unless: :secrets_enabled?
+              end
+
               entry :secrets, ::Gitlab::Ci::Config::Entry::Secrets,
                 description: 'Configured secrets for this job',
                 inherit: false
@@ -19,6 +25,10 @@ module EE
             def value
               super.merge({ secrets: secrets_value }.compact)
             end
+
+            def secrets_enabled?
+              ::Feature.enabled?(:ci_secrets_syntax, default_enabled: true)
+            end
           end
         end
       end
diff --git a/ee/spec/lib/gitlab/ci/config/entry/job_spec.rb b/ee/spec/lib/gitlab/ci/config/entry/job_spec.rb
index a722a5eb93f8e6ff9627571a72140504bfd23b9b..cfb72efcdec71d8f1e93ed1013c598677fbcf594 100644
--- a/ee/spec/lib/gitlab/ci/config/entry/job_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/entry/job_spec.rb
@@ -6,19 +6,40 @@ RSpec.describe Gitlab::Ci::Config::Entry::Job do
   let(:entry) { described_class.new(config, name: :rspec) }
 
   describe 'validations' do
-    before do
-      entry.compose!
-    end
-
     context 'when entry value is correct' do
       context 'when has secrets' do
-        let(:config) { { script: 'echo', secrets: {} } }
+        let(:config) { { script: 'echo', secrets: { DATABASE_PASSWORD: { vault: 'production/db/password' } } } }
+
+        context 'when ci_secrets_syntax feature flag is enabled' do
+          before do
+            stub_feature_flags(ci_secrets_syntax: true)
+            entry.compose!
+          end
+
+          it { expect(entry).to be_valid }
+        end
+
+        context 'when ci_secrets_syntax feature flag is disabled' do
+          before do
+            stub_feature_flags(ci_secrets_syntax: false)
+            entry.compose!
+          end
 
-        it { expect(entry).to be_valid }
+          it 'returns an error' do
+            aggregate_failures do
+              expect(entry).not_to be_valid
+              expect(entry.errors).to include 'job secrets feature is disabled'
+            end
+          end
+        end
       end
     end
 
     context 'when entry value is not correct' do
+      before do
+        entry.compose!
+      end
+
       context 'when has needs' do
         context 'when needs is bridge type' do
           let(:config) do