diff --git a/api/v1alpha1/clusterdeployment_types.go b/api/v1alpha1/clusterdeployment_types.go
index e811b9801..dc56d98be 100644
--- a/api/v1alpha1/clusterdeployment_types.go
+++ b/api/v1alpha1/clusterdeployment_types.go
@@ -61,6 +61,10 @@ type ClusterDeploymentSpec struct {
 	Template string `json:"template"`
 	// Name reference to the related Credentials object.
 	Credential string `json:"credential,omitempty"`
+	// PropagateCredentials indicates whether credentials should be propagated
+	// for use by CCM (Cloud Controller Manager).
+	// +kubebuilder:default:=true
+	PropagateCredentials bool `json:"propagateCredentials,omitempty"`
 	// Services is a list of services created via ServiceTemplates
 	// that could be installed on the target cluster.
 	Services []ServiceSpec `json:"services,omitempty"`
diff --git a/internal/controller/clusterdeployment_controller.go b/internal/controller/clusterdeployment_controller.go
index 4d2c3f938..b972eaa84 100644
--- a/internal/controller/clusterdeployment_controller.go
+++ b/internal/controller/clusterdeployment_controller.go
@@ -354,9 +354,11 @@ func (r *ClusterDeploymentReconciler) updateCluster(ctx context.Context, mc *hmc
 		return ctrl.Result{RequeueAfter: DefaultRequeueInterval}, nil
 	}
 
-	if err := r.reconcileCredentialPropagation(ctx, mc); err != nil {
-		l.Error(err, "failed to reconcile credentials propagation")
-		return ctrl.Result{}, err
+	if mc.Spec.PropagateCredentials {
+		if err := r.reconcileCredentialPropagation(ctx, mc); err != nil {
+			l.Error(err, "failed to reconcile credentials propagation")
+			return ctrl.Result{}, err
+		}
 	}
 
 	return ctrl.Result{}, nil
diff --git a/templates/provider/hmc/templates/crds/hmc.mirantis.com_clusterdeployments.yaml b/templates/provider/hmc/templates/crds/hmc.mirantis.com_clusterdeployments.yaml
index 44b90107f..4fb51689d 100644
--- a/templates/provider/hmc/templates/crds/hmc.mirantis.com_clusterdeployments.yaml
+++ b/templates/provider/hmc/templates/crds/hmc.mirantis.com_clusterdeployments.yaml
@@ -69,6 +69,12 @@ spec:
                 description: DryRun specifies whether the template should be applied
                   after validation or only validated.
                 type: boolean
+              propagateCredentials:
+                default: true
+                description: |-
+                  PropagateCredentials indicates whether credentials should be propagated
+                  for use by CCM (Cloud Controller Manager).
+                type: boolean
               services:
                 description: |-
                   Services is a list of services created via ServiceTemplates