diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml
index e515b011..da1e7cb5 100644
--- a/charts/fulcio/Chart.yaml
+++ b/charts/fulcio/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.5.0
+version: 2.6.0
 appVersion: 1.6.0
 
 keywords:
diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md
index e6a6f0d9..7af392e6 100644
--- a/charts/fulcio/README.md
+++ b/charts/fulcio/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square)
+![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square)
 
 Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
 
@@ -115,12 +115,14 @@ helm uninstall [RELEASE_NAME]
 | server.affinity | object | `{}` |  |
 | server.args.aws_hsm_root_ca_path | string | `nil` |  |
 | server.args.certificateAuthority | string | `"fileca"` |  |
+| server.args.cloud_credential_config | string | `""` |  |
 | server.args.ct_log_url | string | `""` |  |
 | server.args.disable_ct_log | bool | `false` |  |
 | server.args.gcp_private_ca_parent | string | `"projects/test/locations/us-east1/caPools/test"` |  |
 | server.args.grpcPort | int | `5554` |  |
 | server.args.hsm_caroot_id | string | `nil` |  |
 | server.args.port | int | `5555` |  |
+| server.env | object | `{}` |  |
 | server.grpcSvcPort | int | `5554` |  |
 | server.image.pullPolicy | string | `"IfNotPresent"` |  |
 | server.image.registry | string | `"gcr.io"` |  |
diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml
index 00c5d5fd..a54fe005 100644
--- a/charts/fulcio/templates/fulcio-configmap.yaml
+++ b/charts/fulcio/templates/fulcio-configmap.yaml
@@ -20,3 +20,6 @@ data:
   {{- if (eq .Values.server.args.certificateAuthority "kmsca")}}
   chain.pem: {{.Values.server.args.kms_cert_chain | quote }}
   {{- end }}
+  {{- if .Values.server.args.cloud_credential_config }}
+  cloud_credential_config: {{.Values.server.args.cloud_credential_config | quote }}
+  {{- end }}
diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml
index 7682b38c..c88ee236 100644
--- a/charts/fulcio/templates/fulcio-deployment.yaml
+++ b/charts/fulcio/templates/fulcio-deployment.yaml
@@ -71,14 +71,20 @@ spec:
             {{- range .Values.server.extraArgs }}
             - {{ . | quote }}
             {{- end }}
-          {{- if eq .Values.server.args.certificateAuthority "fileca" }}
+        {{- if or .Values.server.env (eq .Values.server.args.certificateAuthority "fileca") }}
           env:
-            - name: PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.server.secret }}
-                  key: password
+          {{- range $key, $value := .Values.server.env }}
+          - name: "{{ $key }}"
+            value: "{{ $value }}"
+          {{- end }}
+          {{- if eq .Values.server.args.certificateAuthority "fileca" }}
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.server.secret }}
+                key: password
           {{- end }}
+        {{- end }}
           livenessProbe:
             failureThreshold: 3
             httpGet:
diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json
index f2957120..0c8f75c4 100644
--- a/charts/fulcio/values.schema.json
+++ b/charts/fulcio/values.schema.json
@@ -189,6 +189,9 @@
                         "gcp_private_ca_parent": {
                             "type": "string"
                         },
+                        "cloud_credential_config": {
+                            "type": "string"
+                        },
                         "grpcPort": {
                             "type": "integer"
                         },
@@ -466,6 +469,10 @@
                     },
                     "type": "object"
                 },
+                "env": {
+                    "type": "object",
+                    "properties": {}
+                },
                 "serviceAccount": {
                     "properties": {
                         "annotations": {
diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml
index b775c061..5a46357b 100644
--- a/charts/fulcio/values.yaml
+++ b/charts/fulcio/values.yaml
@@ -23,9 +23,12 @@ server:
     # crane digest gcr.io/projectsigstore/fulcio:v1.6.0
     # -- v1.6.0
     version: sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771
+  env: {}
   args:
     port: 5555
     grpcPort: 5554
+    # valid values: GCP workload identity config json for trusted external cloud providers
+    cloud_credential_config: ""
     # Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca
     certificateAuthority: fileca
     # kms_resource: gcpkms://....