diff --git a/pkg/templates/externalccm/packet.go b/pkg/templates/externalccm/packet.go
index 8ec355966..ff428850a 100644
--- a/pkg/templates/externalccm/packet.go
+++ b/pkg/templates/externalccm/packet.go
@@ -18,6 +18,7 @@ package externalccm
 
 import (
 	"context"
+	"encoding/json"
 
 	"github.com/pkg/errors"
 
@@ -33,10 +34,16 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
+type packetCloudSA struct {
+	APIKey    string `json:"apiKey"`
+	ProjectID string `json:"projectID"`
+}
+
 const (
-	packetImage          = "packethost/packet-ccm:v0.0.4"
-	packetSAName         = "cloud-controller-manager"
-	packetDeploymentName = "packet-cloud-controller-manager"
+	packetImage             = "packethost/packet-ccm:v1.0.0"
+	packetSAName            = "cloud-controller-manager"
+	packetDeploymentName    = "packet-cloud-controller-manager"
+	packetCloudSASecretName = "packet-cloud-config"
 )
 
 func ensurePacket(s *state.State) error {
@@ -47,10 +54,21 @@ func ensurePacket(s *state.State) error {
 	ctx := context.Background()
 	sa := packetServiceAccount()
 	crole := packetClusterRole()
+
+	creds, err := credentials.ProviderCredentials(s.Cluster.CloudProvider.Name, s.CredentialsFilePath)
+	if err != nil {
+		return errors.Wrap(err, "failed to fetch credentials")
+	}
+	secret, err := packetCloudSASecret(creds)
+	if err != nil {
+		return errors.Wrap(err, "failed to generate packet cloud config secret")
+	}
+
 	k8sobjects := []runtime.Object{
 		sa,
 		crole,
 		genClusterRoleBinding("system:cloud-controller-manager", crole, sa),
+		secret,
 	}
 
 	for _, obj := range k8sobjects {
@@ -71,6 +89,27 @@ func packetServiceAccount() *corev1.ServiceAccount {
 	}
 }
 
+func packetCloudSASecret(creds map[string]string) (*corev1.Secret, error) {
+	cloudSA := &packetCloudSA{
+		APIKey:    creds[credentials.PacketAPIKeyMC],
+		ProjectID: creds[credentials.PacketProjectID],
+	}
+	b, err := json.Marshal(cloudSA)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to marshal cloud-sa to json")
+	}
+
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      packetCloudSASecretName,
+			Namespace: metav1.NamespaceSystem,
+		},
+		Data: map[string][]byte{
+			"cloud-sa.json": b,
+		},
+	}, nil
+}
+
 func packetClusterRole() *rbacv1.ClusterRole {
 	return &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
@@ -180,29 +219,14 @@ func packetDeployment() *appsv1.Deployment {
 								"--cloud-provider=packet",
 								"--leader-elect=false",
 								"--allow-untagged-cloud=true",
+								"--authentication-skip-lookup=true",
+								"--provider-config=/etc/cloud-sa/cloud-sa.json",
 							},
-							Env: []corev1.EnvVar{
-								{
-									Name: "PACKET_AUTH_TOKEN",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: credentials.SecretName,
-											},
-											Key: credentials.PacketAPIKeyMC,
-										},
-									},
-								},
+							VolumeMounts: []corev1.VolumeMount{
 								{
-									Name: "PACKET_PROJECT_ID",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: credentials.SecretName,
-											},
-											Key: credentials.PacketProjectID,
-										},
-									},
+									Name:      "cloud-sa-volume",
+									ReadOnly:  true,
+									MountPath: "/etc/cloud-sa",
 								},
 							},
 							Resources: corev1.ResourceRequirements{
@@ -213,6 +237,16 @@ func packetDeployment() *appsv1.Deployment {
 							},
 						},
 					},
+					Volumes: []corev1.Volume{
+						{
+							Name: "cloud-sa-volume",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: packetCloudSASecretName,
+								},
+							},
+						},
+					},
 				},
 			},
 		},