diff --git a/binderhub-service/templates/deployment.yaml b/binderhub-service/templates/deployment.yaml
index ae2904c..3a8e713 100644
--- a/binderhub-service/templates/deployment.yaml
+++ b/binderhub-service/templates/deployment.yaml
@@ -53,6 +53,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            {{- if .Values.extraCredentials.googleServiceAccountKey }}
+            - name: GOOGLE_APPLICATION_CREDENTIALS
+              value: /etc/binderhub/mounted-secret/gcp-sa-key.json
+            {{- end }}
             {{- with .Values.extraEnv }}
             {{- tpl (. | toYaml) $ | nindent 12 }}
             {{- end }}
diff --git a/binderhub-service/templates/secret.yaml b/binderhub-service/templates/secret.yaml
index eca525c..cbe4d31 100644
--- a/binderhub-service/templates/secret.yaml
+++ b/binderhub-service/templates/secret.yaml
@@ -18,6 +18,11 @@ stringData:
   chart-config.yaml: |
     {{- pick .Values "config" "extraConfig" | toYaml | nindent 4 }}
 
+  {{- with .Values.extraCredentials.googleServiceAccountKey }}
+  gcp-sa-key.json: |
+    {{- . | nindent 4 }}
+  {{- end }}
+
   {{- /* Glob files to allow them to be mounted by the binderhub pod */}}
   {{- /* key=filename: value=content */}}
   {{- (.Files.Glob "mounted-files/*").AsConfig | nindent 2 }}
diff --git a/binderhub-service/values.schema.yaml b/binderhub-service/values.schema.yaml
index 24856f9..1599be6 100644
--- a/binderhub-service/values.schema.yaml
+++ b/binderhub-service/values.schema.yaml
@@ -21,6 +21,7 @@ required:
   - buildPodsRegistryCredentials
   # Deployment resource
   - image
+  - extraCredentials
   # Other resources
   - rbac
   - serviceAccount
@@ -83,6 +84,12 @@ properties:
     patternProperties:
       ".*":
         type: [string, "null"]
+  extraCredentials:
+    type: object
+    additionalProperties: false
+    properties:
+      googleServiceAccountKey:
+        type: string
   extraEnv:
     type: array
 
diff --git a/binderhub-service/values.yaml b/binderhub-service/values.yaml
index f559f30..d3f7b50 100644
--- a/binderhub-service/values.yaml
+++ b/binderhub-service/values.yaml
@@ -51,6 +51,8 @@ extraConfig:
     namespace = os.environ["NAMESPACE"]
     c.KubernetesBuildExecutor.docker_host = f"/var/run/{ namespace }-{ helm_release_name }/docker-api/docker-api.sock"
 
+extraCredentials:
+  googleServiceAccountKey: ""
 extraEnv: []
 replicas: 1
 image:
diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml
index d0b11bf..02fde33 100644
--- a/tools/templates/lint-and-validate-values.yaml
+++ b/tools/templates/lint-and-validate-values.yaml
@@ -21,6 +21,20 @@ buildPodsRegistryCredentials:
 image:
   repository: quay.io/2i2c/binderhub-service
   tag: "set-by-chartpress"
+extraCredentials:
+  googleServiceAccountKey: |
+    {
+      "type": "service_account",
+      "project_id": "PROJECT_ID",
+      "private_key_id": "KEY_ID",
+      "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
+      "client_email": "SERVICE_ACCOUNT_EMAIL",
+      "client_id": "CLIENT_ID",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://accounts.google.com/o/oauth2/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
+    }
 extraEnv:
   - name: HELM_RELEASE_NAME
     value: "{{ .Release.Name }}"