diff --git a/apps/prow/cluster/prow-externalsecrets.yaml b/apps/prow/cluster/prow-externalsecrets.yaml
index f227f6328898..c230020644ae 100644
--- a/apps/prow/cluster/prow-externalsecrets.yaml
+++ b/apps/prow/cluster/prow-externalsecrets.yaml
@@ -32,3 +32,19 @@ spec:
   - key: k8s-infra-build-clusters-kubeconfig # The name of the GSM Secret
     name: kubeconfig                         # The key to write to in the Kubernetes Secret
     version: latest                          # The version of the GSM Secret
+---
+# Github HMAC token synchronized from GCP Secrets Manager
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: k8s-infra-prow-hmac-token
+  namespace: prow
+  labels:
+    app: prow
+spec:
+  backendType: gcpSecretsManager
+  projectId: kubernetes-public
+  data:
+  - key: k8s-infra-prow-hmac-token # The name of the GSM Secret
+    name: hmac                     # The key to write to in the Kubernetes Secret
+    version: latest                # The version of the GSM Secret
diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh
index ea4f060d9619..c61f1f9edae6 100755
--- a/infra/gcp/ensure-main-project.sh
+++ b/infra/gcp/ensure-main-project.sh
@@ -335,6 +335,7 @@ function ensure_aaa_external_secrets() {
     local prow_secrets=(
         k8s-infra-build-clusters-kubeconfig
         k8s-infra-ci-robot-github-token
+        k8s-infra-prow-hmac-token
     )
     local slack_infra_secrets=(
         recaptcha