diff --git a/core-services/ci-secret-bootstrap/gsm-config.yaml b/core-services/ci-secret-bootstrap/gsm-config.yaml
new file mode 100644
index 0000000000000..267306a79332b
--- /dev/null
+++ b/core-services/ci-secret-bootstrap/gsm-config.yaml
@@ -0,0 +1,59 @@
+# GSM Configuration File for Secret Management
+# This file defines how secrets from Google Secret Manager are bundled and consumed in our CI.
+# See docs for further info: [TODO docs link]
+
+cluster_groups:
+  build_farm:
+    - app.ci
+    - build01
+    - build02
+    - build03
+    - build04
+    - build05
+    - build06
+    - build07
+    - build08
+    - build09
+    - build10
+    - build11
+    - core-ci
+    - vsphere02
+  managed_clusters:
+    - app.ci
+    - build01
+    - build02
+    - build03
+    - build04
+    - build05
+    - build06
+    - build07
+    - build08
+    - build09
+    - build10
+    - build11
+    - core-ci
+    - hosted-mgmt
+  non_app_ci:
+    - build01
+    - build02
+    - build03
+    - build04
+    - build05
+    - build06
+    - build07
+    - build08
+    - build09
+    - build10
+    - build11
+    - core-ci
+    - vsphere02
+
+bundles:
+  - name: test-credentials
+    gsm_secrets:
+      - collection: psalajova-first-secret
+        group: group1
+    sync_to_cluster: true
+    targets:
+      - cluster: build01
+        namespace: ci
diff --git a/core-services/prow/02_config/_plugins.yaml b/core-services/prow/02_config/_plugins.yaml
index 07f05f5fb4896..001617f1742e5 100644
--- a/core-services/prow/02_config/_plugins.yaml
+++ b/core-services/prow/02_config/_plugins.yaml
@@ -457,6 +457,10 @@ config_updater:
         app.ci:
         - ci
       name: ci-secret-bootstrap
+    core-services/ci-secret-bootstrap/gsm-config.yaml:
+      cluster_groups:
+      - build_farm_ci
+      name: gsm-config
     core-services/ci-secret-generator/_config.yaml:
       clusters:
         app.ci: