diff --git a/examples/rollout-secret.yaml b/examples/rollout-secret.yaml
index 87d59ceb24..f6b3094289 100644
--- a/examples/rollout-secret.yaml
+++ b/examples/rollout-secret.yaml
@@ -1,5 +1,5 @@
 # This example demonstrates a Rollout which starts and finishes analysis at a specific canary step.
-# The AnalysisTemplate references an Secret object, which contains an API, token and passes it to a Web metric provider.
+# The AnalysisTemplate references an Secret object, which contains the URL, and passes it to a Web metric provider.
 #
 # Prerequisites: None
 
@@ -20,7 +20,7 @@ spec:
     spec:
       containers:
       - name: rollouts-demo
-        image: argoproj/rollouts-demo:green
+        image: argoproj/rollouts-demo:blue
         imagePullPolicy: Always
         ports:
         - containerPort: 8080
@@ -36,11 +36,10 @@ spec:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: token-secret
+  name: example-secret
 type: Opaque
 data:
-  # This API Token is fake. Its value decoded is "test".
-  apiToken: dGVzdAo=
+  secretUrl: aHR0cHM6Ly9naXN0LmdpdGh1YnVzZXJjb250ZW50LmNvbS9raGhpcmFuaS8yYWIxMTIzMjQwMjUxOGQ1Mjc3YWYwMzBkZDg5MTZkNy9yYXcvZDI3MmY1NTFmMmQxODA2YTAzOTc0ZGJhZWYxMWRmZDU1MTAyZmVlYS9leGFtcGxlLmpzb24=
 ---
 kind: AnalysisTemplate
 apiVersion: argoproj.io/v1alpha1
@@ -48,19 +47,16 @@ metadata:
   name: analysis-secret
 spec:
   args:
-  - name: api-token
+  - name: secret-url
     valueFrom:
       secretKeyRef:
-        name: token-secret
-        key: apiToken
+        name: example-secret
+        key: secretUrl
   metrics:
   - name: webmetric
     successCondition: result == 'It worked!'
     provider:
       web:
       # placeholders are resolved when an AnalysisRun is created
-        url: "https://gist.githubusercontent.com/khhirani/2ab11232402518d5277af030dd8916d7/raw/d272f551f2d1806a03974dbaef11dfd55102feea/example.json"
-        headers:
-        - key: Test
-          value: "{{ args.api-token }}"
+        url: "{{args.secret-url}}"
         jsonPath: "{$.message}"
diff --git a/pkg/apis/rollouts/validation/validation_references_test.go b/pkg/apis/rollouts/validation/validation_references_test.go
index 570ce7c765..c969691e3e 100644
--- a/pkg/apis/rollouts/validation/validation_references_test.go
+++ b/pkg/apis/rollouts/validation/validation_references_test.go
@@ -528,8 +528,18 @@ func TestValidateAnalysisMetrics(t *testing.T) {
 		FailureLimit: &failureLimitVal,
 	}}
 
-	resolvedMetrics, err := validateAnalysisMetrics(metrics, args)
-	assert.Nil(t, err)
-	assert.Equal(t, count, resolvedMetrics[0].Count.String())
-	assert.Equal(t, failureLimit, resolvedMetrics[0].FailureLimit.String())
+	t.Run("Success", func(t *testing.T) {
+		resolvedMetrics, err := validateAnalysisMetrics(metrics, args)
+		assert.Nil(t, err)
+		assert.Equal(t, count, resolvedMetrics[0].Count.String())
+		assert.Equal(t, failureLimit, resolvedMetrics[0].FailureLimit.String())
+	})
+
+	t.Run("Error: arg has both Value and ValueFrom", func(t *testing.T) {
+		args[2].Value = pointer.StringPtr("secret-value")
+		_, err := validateAnalysisMetrics(metrics, args)
+		assert.NotNil(t, err)
+		assert.Equal(t, "arg 'secret' has both Value and ValueFrom fields", err.Error())
+
+	})
 }
diff --git a/test/e2e/analysis_test.go b/test/e2e/analysis_test.go
index 12655c3652..42e3e2135e 100644
--- a/test/e2e/analysis_test.go
+++ b/test/e2e/analysis_test.go
@@ -598,3 +598,24 @@ spec:
 		Then().
 		ExpectAnalysisRunCount(1)
 }
+
+func (s *AnalysisSuite) TestAnalysisWithSecret() {
+	(s.Given().
+		RolloutObjects("@functional/rollout-secret.yaml").
+		When().
+		ApplyManifests().
+		WaitForRolloutStatus("Healthy").
+		Then().
+		ExpectAnalysisRunCount(0).
+		When().
+		UpdateSpec().
+		WaitForRolloutStatus("Paused").
+		Then().
+		ExpectAnalysisRunCount(1).
+		When().
+		WaitForInlineAnalysisRunPhase("Successful").
+		PromoteRollout().
+		WaitForRolloutStatus("Healthy").
+		Then().
+		ExpectStableRevision("2"))
+}
diff --git a/test/e2e/functional/rollout-secret.yaml b/test/e2e/functional/rollout-secret.yaml
new file mode 100644
index 0000000000..42db8000f2
--- /dev/null
+++ b/test/e2e/functional/rollout-secret.yaml
@@ -0,0 +1,56 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Rollout
+metadata:
+  name: rollout-secret
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: rollout-secret
+  template:
+    metadata:
+      labels:
+        app: rollout-secret
+    spec:
+      containers:
+      - name: rollouts-demo
+        image: argoproj/rollouts-demo:blue
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+  strategy:
+    canary:
+      steps:
+      - setWeight: 25
+      - analysis:
+          templates:
+          - templateName: analysis-secret
+      - pause: {}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-secret
+type: Opaque
+data:
+  secretUrl: aHR0cHM6Ly9naXN0LmdpdGh1YnVzZXJjb250ZW50LmNvbS9raGhpcmFuaS8yYWIxMTIzMjQwMjUxOGQ1Mjc3YWYwMzBkZDg5MTZkNy9yYXcvZDI3MmY1NTFmMmQxODA2YTAzOTc0ZGJhZWYxMWRmZDU1MTAyZmVlYS9leGFtcGxlLmpzb24=
+---
+kind: AnalysisTemplate
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: analysis-secret
+spec:
+  args:
+  - name: secret-url
+    valueFrom:
+      secretKeyRef:
+        name: example-secret
+        key: secretUrl
+  metrics:
+  - name: webmetric
+    successCondition: result == 'It worked!'
+    provider:
+      web:
+        url: "{{args.secret-url}}"
+        jsonPath: "{$.message}"