diff --git a/pkg/resources/mutation/secret/secret.go b/pkg/resources/mutation/secret/secret.go
new file mode 100644
index 0000000..cf91fc3
--- /dev/null
+++ b/pkg/resources/mutation/secret/secret.go
@@ -0,0 +1,63 @@
+package secret
+
+import (
+	"time"
+
+	"github.com/rancher/webhook/pkg/auth"
+	"github.com/rancher/webhook/pkg/clients"
+	"github.com/rancher/webhook/pkg/patch"
+	"github.com/rancher/wrangler/pkg/webhook"
+	"github.com/sirupsen/logrus"
+	admissionv1 "k8s.io/api/admission/v1"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/trace"
+)
+
+func NewMutator(client *clients.Clients) webhook.Handler {
+	return &mutator{}
+}
+
+type mutator struct{}
+
+func (m *mutator) Admit(response *webhook.Response, request *webhook.Request) error {
+	if request.DryRun != nil && *request.DryRun {
+		response.Allowed = true
+		return nil
+	}
+
+	listTrace := trace.New("secret Admit", trace.Field{Key: "user", Value: request.UserInfo.Username})
+	defer listTrace.LogIfLong(2 * time.Second)
+
+	secret, err := secretObject(request)
+	if err != nil {
+		return err
+	}
+
+	if secret.Type != "provisioning.cattle.io/cloud-credential" {
+		response.Allowed = true
+		return nil
+	}
+
+	logrus.Debugf("[secret-mutation] adding creatorID %v to secret: %v", request.UserInfo.Username, secret.Name)
+	newSecret := secret.DeepCopy()
+
+	if newSecret.Annotations == nil {
+		newSecret.Annotations = make(map[string]string)
+	}
+
+	newSecret.Annotations[auth.CreatorIDAnn] = request.UserInfo.Username
+
+	return patch.CreatePatch(secret, newSecret, response)
+}
+
+func secretObject(request *webhook.Request) (*v1.Secret, error) {
+	var secret runtime.Object
+	var err error
+	if request.Operation == admissionv1.Delete {
+		secret, err = request.DecodeOldObject()
+	} else {
+		secret, err = request.DecodeObject()
+	}
+	return secret.(*v1.Secret), err
+}
diff --git a/pkg/server/mutation.go b/pkg/server/mutation.go
index 437a7eb..bf90677 100644
--- a/pkg/server/mutation.go
+++ b/pkg/server/mutation.go
@@ -10,15 +10,19 @@ import (
 	"github.com/rancher/webhook/pkg/clients"
 	"github.com/rancher/webhook/pkg/resources/mutation/cluster"
 	"github.com/rancher/webhook/pkg/resources/mutation/fleetworkspace"
+	"github.com/rancher/webhook/pkg/resources/mutation/secret"
 	"github.com/rancher/wrangler/pkg/webhook"
+	k8sv1 "k8s.io/api/core/v1"
 )
 
 func Mutation(client *clients.Clients) (http.Handler, error) {
 	fleetworkspaceMutator := fleetworkspace.NewMutator(client)
 	provisioningCluster := cluster.NewMutator(client)
+	secret := secret.NewMutator(client)
 
 	router := webhook.NewRouter()
 	router.Kind("FleetWorkspace").Group(management.GroupName).Type(&v3.FleetWorkspace{}).Handle(fleetworkspaceMutator)
 	router.Kind("Cluster").Group(provisioning.GroupName).Type(&v1.Cluster{}).Handle(provisioningCluster)
+	router.Kind("Secret").Group("").Type(&k8sv1.Secret{}).Handle(secret)
 	return router, nil
 }
diff --git a/pkg/server/server.go b/pkg/server/server.go
index 4d83600..dcf3fb8 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -265,6 +265,17 @@ func listenAndServe(ctx context.Context, clients *clients.Clients, handler http.
 								Scope:       &namespaceScope,
 							},
 						},
+						{
+							Operations: []v1.OperationType{
+								v1.Create,
+							},
+							Rule: v1.Rule{
+								APIGroups:   []string{""},
+								APIVersions: []string{"v1"},
+								Resources:   []string{"secrets"},
+								Scope:       &namespaceScope,
+							},
+						},
 					},
 					FailurePolicy:           &failPolicyFail,
 					SideEffects:             &sideEffectClassNoneOnDryRun,