diff --git a/modules/hub/README.md b/modules/hub/README.md
index 805a8541ef..2b4ad0bffc 100644
--- a/modules/hub/README.md
+++ b/modules/hub/README.md
@@ -41,7 +41,9 @@ To deploy this config:
 | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | string | `"gke-hub-sa"` | no |
 | location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
 | project\_id | The project in which the resource belongs. | string | n/a | yes |
+| sa\_private\_key | Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`. | string | `"null"` | no |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
+| use\_existing\_sa | Uses an existing service account to register membership. Requires sa_private_key | bool | `"false"` | no |
 | use\_tf\_google\_credentials\_env\_var | Optional GOOGLE_CREDENTIALS environment variable to be activated. | bool | `"false"` | no |
 
 ## Outputs
diff --git a/modules/hub/main.tf b/modules/hub/main.tf
index a1a6b3c1d1..d8ac255f16 100644
--- a/modules/hub/main.tf
+++ b/modules/hub/main.tf
@@ -15,26 +15,29 @@
  */
 
 locals {
-  gke_hub_sa_key = google_service_account_key.gke_hub_key.private_key
+  gke_hub_sa_key = var.use_existing_sa ? var.sa_private_key : google_service_account_key.gke_hub_key[0].private_key
 }
 
 data "google_client_config" "default" {
 }
 
 resource "google_service_account" "gke_hub_sa" {
+  count        = var.use_existing_sa ? 0 : 1
   account_id   = var.gke_hub_sa_name
   project      = var.project_id
   display_name = "Service Account for GKE Hub Registration"
 }
 
 resource "google_project_iam_member" "gke_hub_member" {
+  count   = var.use_existing_sa ? 0 : 1
   project = var.project_id
   role    = "roles/gkehub.connect"
-  member  = "serviceAccount:${google_service_account.gke_hub_sa.email}"
+  member  = "serviceAccount:${google_service_account.gke_hub_sa[0].email}"
 }
 
 resource "google_service_account_key" "gke_hub_key" {
-  service_account_id = google_service_account.gke_hub_sa.name
+  count              = var.use_existing_sa ? 0 : 1
+  service_account_id = google_service_account.gke_hub_sa[0].name
 }
 
 module "gke_hub_registration" {
diff --git a/modules/hub/variables.tf b/modules/hub/variables.tf
index 75a3ec7e7f..aea9855057 100644
--- a/modules/hub/variables.tf
+++ b/modules/hub/variables.tf
@@ -69,3 +69,15 @@ variable "gke_hub_membership_name" {
   type        = string
   default     = "gke-hub-membership"
 }
+
+variable "use_existing_sa" {
+  description = "Uses an existing service account to register membership. Requires sa_private_key"
+  type        = bool
+  default     = false
+}
+
+variable "sa_private_key" {
+  description = "Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`."
+  type        = string
+  default     = null
+}