diff --git a/infra/config/cr-buildbucket.cfg b/infra/config/cr-buildbucket.cfg
index 73a6d4929..3388f02fb 100644
--- a/infra/config/cr-buildbucket.cfg
+++ b/infra/config/cr-buildbucket.cfg
@@ -599,10 +599,25 @@ buckets {
       service_account: "libyuv-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
     }
   }
+  shadow: "ci.shadow"
   constraints {
     pools: "luci.flex.ci"
   }
 }
+buckets {
+  name: "ci.shadow"
+  acls {
+    role: WRITER
+    group: "project-libyuv-admins"
+  }
+  acls {
+    group: "all"
+  }
+  constraints {
+    pools: "luci.flex.ci"
+  }
+  dynamic_builder_template {}
+}
 buckets {
   name: "cron"
   acls {
@@ -1141,8 +1156,23 @@ buckets {
       service_account: "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com"
     }
   }
+  shadow: "try.shadow"
   constraints {
     pools: "luci.flex.try"
     service_accounts: "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com"
   }
 }
+buckets {
+  name: "try.shadow"
+  acls {
+    role: WRITER
+    group: "project-libyuv-admins"
+  }
+  acls {
+    group: "all"
+  }
+  constraints {
+    pools: "luci.flex.try"
+  }
+  dynamic_builder_template {}
+}
diff --git a/infra/config/main.star b/infra/config/main.star
index 801cc8f35..32e2505e4 100755
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -172,6 +172,26 @@ luci.bucket(
         pools = ["luci.flex.ci"],
     ),
 )
+luci.bucket(
+    name = "ci.shadow",
+    shadows = "ci",
+    constraints = luci.bucket_constraints(
+        pools = ["luci.flex.ci"],
+    ),
+    bindings = [
+        # For led permissions.
+        luci.binding(
+            roles = "role/buildbucket.creator",
+            groups = [
+                "chromium-led-users",
+                "mdb/chrome-build-access-sphinx",
+                "mdb/chrome-troopers",
+                "mdb/foundry-x-team",
+            ],
+        ),
+    ],
+    dynamic = True,
+)
 luci.bucket(
     name = "try",
     acls = [
@@ -187,6 +207,26 @@ luci.bucket(
         ],
     ),
 )
+luci.bucket(
+    name = "try.shadow",
+    shadows = "try",
+    constraints = luci.bucket_constraints(
+        pools = ["luci.flex.try"],
+    ),
+    bindings = [
+        # For led permissions.
+        luci.binding(
+            roles = "role/buildbucket.creator",
+            groups = [
+                "chromium-led-users",
+                "mdb/chrome-build-access-sphinx",
+                "mdb/chrome-troopers",
+                "mdb/foundry-x-team",
+            ],
+        ),
+    ],
+    dynamic = True,
+)
 luci.bucket(
     name = "cron",
 )
diff --git a/infra/config/realms.cfg b/infra/config/realms.cfg
index e275bdd1a..ba9b20b89 100644
--- a/infra/config/realms.cfg
+++ b/infra/config/realms.cfg
@@ -62,6 +62,16 @@ realms {
     }
   }
 }
+realms {
+  name: "ci.shadow"
+  bindings {
+    role: "role/buildbucket.creator"
+    principals: "group:chromium-led-users"
+    principals: "group:mdb/chrome-build-access-sphinx"
+    principals: "group:mdb/chrome-troopers"
+    principals: "group:mdb/foundry-x-team"
+  }
+}
 realms {
   name: "cron"
   bindings {
@@ -81,3 +91,13 @@ realms {
     principals: "group:service-account-cq"
   }
 }
+realms {
+  name: "try.shadow"
+  bindings {
+    role: "role/buildbucket.creator"
+    principals: "group:chromium-led-users"
+    principals: "group:mdb/chrome-build-access-sphinx"
+    principals: "group:mdb/chrome-troopers"
+    principals: "group:mdb/foundry-x-team"
+  }
+}