diff --git a/audit/create-or-update-audit-pr.sh b/audit/create-or-update-audit-pr.sh
index faf9b4740fe..3cd3f8dbe49 100755
--- a/audit/create-or-update-audit-pr.sh
+++ b/audit/create-or-update-audit-pr.sh
@@ -34,10 +34,16 @@ set -o pipefail
 GH_USER=cncf-ci
 GH_NAME="CNCF CI Bot"
 GH_EMAIL="cncf-ci@ii.coop"
+GH_TOKEN=$(cat /etc/github-token/token)
 FORK_GH_REPO=k8s.io
 FORK_GH_BRANCH=autoaudit-${PROW_INSTANCE_NAME:-prow}
 FORK_URI="https://github.com/${GH_USER}/${FORK_GH_REPO}"
 
+if [ -z "${GH_TOKEN}" ]; then
+  >&2 echo "ERROR: GH_TOKEN is empty"
+  exit 1
+fi
+
 echo "Ensure git configured" >&2
 git config user.name "${GH_NAME}"
 git config user.email "${GH_EMAIL}"
@@ -78,7 +84,7 @@ if ! command -v "${prcreator}" &>/dev/null; then
 fi
 
 echo "Pushing commit to github.com/${GH_USER}/${FORK_GH_REPO}..." >&2
-GH_TOKEN=$(cat /etc/github-token/token)
+
 git push -f "https://${GH_USER}:${GH_TOKEN}@github.com/${GH_USER}/${FORK_GH_REPO}" "HEAD:${FORK_GH_BRANCH}" 2>/dev/null
 
 echo "Creating or updating PR to merge ${GH_USER}:${FORK_GH_BRANCH} into kubernetes:main..." >&2
diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf
index a82cdd0efb6..1f35782726a 100644
--- a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf
+++ b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf
@@ -174,6 +174,7 @@ module "prow_build_cluster" {
   is_prod_cluster   = "true"
   release_channel   = "REGULAR"
   dns_cache_enabled = "true"
+  cloud_shell_access = false
 }
 
 module "prow_build_nodepool" {
diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/kubernetes-external-secrets-serviceaccounts.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/kubernetes-external-secrets-serviceaccounts.yaml
new file mode 100644
index 00000000000..95df9ceaa32
--- /dev/null
+++ b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/kubernetes-external-secrets-serviceaccounts.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: kubernetes-external-secrets@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
+  name: kubernetes-external-secrets
+  namespace: kubernetes-external-secrets
diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods-externalsecrets.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods-externalsecrets.yaml
new file mode 100644
index 00000000000..a886c5c758e
--- /dev/null
+++ b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods-externalsecrets.yaml
@@ -0,0 +1,19 @@
+# This is a place holder for adding kubernetes external secrets, please add the
+# ExternalSecret CR here, separated by `---`.
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: cncf-ci-github-token
+  namespace: test-pods
+spec:
+  backendType: gcpSecretsManager
+  # The project hosting the GSM Secret
+  projectId: k8s-infra-prow-build-trusted 
+  data:
+    # The name of the GSM Secret
+  - key: cncf-ci-github-token # The name of the GSM Secret
+    # The version of the GSM Secret
+    version: latest
+    # Value will appear in .data.{name} in the Kubernetes Secret
+    name: token
diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods-serviceaccounts.yaml
similarity index 100%
rename from infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml
rename to infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods-serviceaccounts.yaml