diff --git a/api/v1alpha1/managedcluster_types.go b/api/v1alpha1/managedcluster_types.go
index 404a6de15..b4ccd0c30 100644
--- a/api/v1alpha1/managedcluster_types.go
+++ b/api/v1alpha1/managedcluster_types.go
@@ -61,6 +61,10 @@ type ManagedClusterSpec struct {
 	Template string `json:"template"`
 	// Name reference to the related Credentials object.
 	Credential string `json:"credential,omitempty"`
+	// PropagateCredentials indicates whether credentials should be propagated
+	// for use by CCM (Cloud Controller Manager).
+	// +kubebuilder:default:=true
+	PropagateCredentials bool `json:"propagateCredentials,omitempty"`
 	// Services is a list of services created via ServiceTemplates
 	// that could be installed on the target cluster.
 	Services []ServiceSpec `json:"services,omitempty"`
diff --git a/internal/controller/managedcluster_controller.go b/internal/controller/managedcluster_controller.go
index c89fdb1cc..f80e5f0af 100644
--- a/internal/controller/managedcluster_controller.go
+++ b/internal/controller/managedcluster_controller.go
@@ -354,9 +354,11 @@ func (r *ManagedClusterReconciler) updateCluster(ctx context.Context, mc *hmc.Ma
 		return ctrl.Result{RequeueAfter: DefaultRequeueInterval}, nil
 	}
 
-	if err := r.reconcileCredentialPropagation(ctx, mc); err != nil {
-		l.Error(err, "failed to reconcile credentials propagation")
-		return ctrl.Result{}, err
+	if mc.Spec.PropagateCredentials {
+		if err := r.reconcileCredentialPropagation(ctx, mc); err != nil {
+			l.Error(err, "failed to reconcile credentials propagation")
+			return ctrl.Result{}, err
+		}
 	}
 
 	return ctrl.Result{}, nil
diff --git a/templates/provider/hmc/templates/crds/hmc.mirantis.com_managedclusters.yaml b/templates/provider/hmc/templates/crds/hmc.mirantis.com_managedclusters.yaml
index 8e0ec18a3..750585b65 100644
--- a/templates/provider/hmc/templates/crds/hmc.mirantis.com_managedclusters.yaml
+++ b/templates/provider/hmc/templates/crds/hmc.mirantis.com_managedclusters.yaml
@@ -69,6 +69,12 @@ spec:
                 description: DryRun specifies whether the template should be applied
                   after validation or only validated.
                 type: boolean
+              propagateCredentials:
+                default: true
+                description: |-
+                  PropagateCredentials indicates whether credentials should be propagated
+                  for use by CCM (Cloud Controller Manager).
+                type: boolean
               services:
                 description: |-
                   Services is a list of services created via ServiceTemplates