diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/types.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/types.go
index f8e84ae6e70..fabd318e0de 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/types.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/types.go
@@ -32,6 +32,17 @@ type CredentialProviderRequest struct {
 	// credential provider plugin request. Plugins may optionally parse the image
 	// to extract any information required to fetch credentials.
 	Image string
+
+	// serviceAccountToken is the service account token bound to the pod for which
+	// the image is being pulled. This token is only sent to the plugin if the
+	// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential provider configuration.
+	ServiceAccountToken string
+
+	// serviceAccountAnnotations is a map of annotations on the service account bound to the
+	// pod for which the image is being pulled. The list of annotations in the service account
+	// that need to be passed to the plugin is configured in the kubelet's credential provider
+	// configuration.
+	ServiceAccountAnnotations map[string]string
 }
 
 type PluginCacheKeyType string
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go
index 3cce9cc428e..994f34610a4 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go
@@ -32,6 +32,18 @@ type CredentialProviderRequest struct {
 	// credential provider plugin request. Plugins may optionally parse the image
 	// to extract any information required to fetch credentials.
 	Image string `json:"image"`
+
+	// serviceAccountToken is the service account token bound to the pod for which
+	// the image is being pulled. This token is only sent to the plugin if the
+	// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential
+	// provider configuration.
+	ServiceAccountToken string `json:"serviceAccountToken,omitempty" datapolicy:"token"`
+
+	// serviceAccountAnnotations is a map of annotations on the service account bound to the
+	// pod for which the image is being pulled. The list of annotations in the service account
+	// that need to be passed to the plugin is configured in the kubelet's credential provider
+	// configuration.
+	ServiceAccountAnnotations map[string]string `json:"serviceAccountAnnotations,omitempty"`
 }
 
 type PluginCacheKeyType string
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go
index 97922e9763c..77692a74976 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go
@@ -94,6 +94,8 @@ func Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovid
 
 func autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	out.ServiceAccountToken = in.ServiceAccountToken
+	out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
 	return nil
 }
 
@@ -104,6 +106,8 @@ func Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProvid
 
 func autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	out.ServiceAccountToken = in.ServiceAccountToken
+	out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
 	return nil
 }
 
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go
index aa12d576747..348574fe73e 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go
@@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
 func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
+	if in.ServiceAccountAnnotations != nil {
+		in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/conversion.go
new file mode 100644
index 00000000000..fef1e902921
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/conversion.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/kubelet/pkg/apis/credentialprovider"
+)
+
+func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
+	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
+}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/zz_generated.conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/zz_generated.conversion.go
index 4a3f3c835ff..0ce548515a0 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/zz_generated.conversion.go
@@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
 	}); err != nil {
@@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
+	}); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -104,14 +104,11 @@ func Convert_v1alpha1_CredentialProviderRequest_To_credentialprovider_Credential
 
 func autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
+	// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
 	return nil
 }
 
-// Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest is an autogenerated conversion function.
-func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
-	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
-}
-
 func autoConvert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
 	out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
 	out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/conversion.go
new file mode 100644
index 00000000000..73cb7a7d6cb
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/conversion.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/kubelet/pkg/apis/credentialprovider"
+)
+
+func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
+	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
+}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/zz_generated.conversion.go
index 1991aab6dde..070ed088ba1 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/zz_generated.conversion.go
@@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
 	}); err != nil {
@@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
+	}); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -104,14 +104,11 @@ func Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialP
 
 func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
 	out.Image = in.Image
+	// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
+	// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
 	return nil
 }
 
-// Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest is an autogenerated conversion function.
-func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
-	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
-}
-
 func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
 	out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
 	out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/zz_generated.deepcopy.go
index bc9b5e01fb2..a5a2432534b 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/zz_generated.deepcopy.go
@@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
 func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
+	if in.ServiceAccountAnnotations != nil {
+		in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }