diff --git a/deployments/helm/hephaestus/templates/controller/deployment.yaml b/deployments/helm/hephaestus/templates/controller/deployment.yaml
index 3ed590d7..9c7d0bc1 100644
--- a/deployments/helm/hephaestus/templates/controller/deployment.yaml
+++ b/deployments/helm/hephaestus/templates/controller/deployment.yaml
@@ -42,9 +42,23 @@ spec:
           args:
             - start
             - --config=/etc/hephaestus/config.yaml
-          {{- with .Values.controller.manager.extraEnvVars }}
+          {{- with .Values.controller.manager }}
+          {{- if or .extraEnvVars .cloudRegistryAuth.azure.enabled }}
           env:
+            {{- with .extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 12 }}
+            {{- end }}
+            {{- if .cloudRegistryAuth.azure.enabled }}
+            - name: AZURE_TENANT_ID
+              value: {{ required "Azure tenantID is required when enabled!" .cloudRegistryAuth.azure.tenantID | quote }}
+            - name: AZURE_CLIENT_ID
+              value: {{ required "Azure clientID is required when enabled!" .cloudRegistryAuth.azure.clientID | quote }}
+            {{- with .cloudRegistryAuth.azure.clientSecret }}
+            - name: AZURE_CLIENT_SECRET
+              value: {{ . | quote }}
+            {{- end }}
+            {{- end }}
+          {{- end }}
           {{- end }}
           ports:
             {{- with .Values.controller.manager }}
diff --git a/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml b/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml
index 64ef8962..bfd556a4 100644
--- a/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml
+++ b/deployments/helm/hephaestus/templates/controller/serviceaccount.yaml
@@ -5,8 +5,15 @@ metadata:
   name: {{ include "hephaestus.serviceAccountName" . }}
   labels:
     {{- include "hephaestus.controller.labels.standard" . | nindent 4 }}
-  {{- with .Values.controller.serviceAccount.annotations }}
+  {{- with .Values.controller }}
+  {{- if or .serviceAccount.annotations .manager.cloudRegistryAuth.gcp.enabled }}
   annotations:
+    {{- with .serviceAccount.annotations }}
     {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .manager.cloudRegistryAuth.gcp.enabled }}
+    "iam.gke.io/gcp-service-account": {{ required "GCP ServiceAccount is required when enabled!" .manager.cloudRegistryAuth.gcp.serviceAccount | quote }}
+    {{- end }}
+  {{- end }}
   {{- end }}
 {{- end }}
diff --git a/deployments/helm/hephaestus/values.yaml b/deployments/helm/hephaestus/values.yaml
index 1439c621..1e8702e7 100644
--- a/deployments/helm/hephaestus/values.yaml
+++ b/deployments/helm/hephaestus/values.yaml
@@ -148,6 +148,19 @@ controller:
     # Secrets (name: path) to expose into builds that request it
     secrets: {}
 
+    # Cloud-based registry credentials configuration
+    cloudRegistryAuth:
+      # Azure credentials required to access ACR
+      azure:
+        enabled: false
+        tenantID: ""
+        clientID: ""
+        clientSecret: ""
+      # GCP credentials required to access GCR
+      gcp:
+        enabled: false
+        serviceAccount: ""
+
     # Build status messaging configuration
     messaging:
       # Enable message publisher