diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml
index 2801d915..15263c02 100644
--- a/.github/actions/deploy-environment/action.yml
+++ b/.github/actions/deploy-environment/action.yml
@@ -33,6 +33,11 @@ runs:
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: teaching-qualifications
+        workload_identity_provider: projects/708780292301/locations/global/workloadIdentityPools/access-your-teaching-qualificati/providers/access-your-teaching-qualifications
+
     - name: Terraform Apply
       shell: bash
       run: |
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
index 484f8982..1488ae5c 100644
--- a/.github/workflows/build-and-deploy.yml
+++ b/.github/workflows/build-and-deploy.yml
@@ -22,6 +22,7 @@ on:
         options:
           - production
 
+
 jobs:
   build_image:
     name: Image build and push
@@ -46,6 +47,9 @@ jobs:
     needs: [build_image]
     environment:
       name: review
+    permissions:
+      pull-requests: write
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
@@ -99,6 +103,8 @@ jobs:
     environment:
       name: ${{ matrix.environment }}
       url: ${{ steps.deploy.outputs.environment_url }}
+    permissions:
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
@@ -119,6 +125,8 @@ jobs:
     environment:
       name: production
       url: ${{ steps.deploy.outputs.environment_url }}
+    permissions:
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb
index 6f4c1826..546d36a2 100644
--- a/config/initializers/dfe_analytics.rb
+++ b/config/initializers/dfe_analytics.rb
@@ -4,6 +4,7 @@
   config.queue = :analytics
   config.environment = HostingEnvironment.environment_name
   config.entity_table_checks_enabled = true
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 
   config.enable_analytics =
     proc do
diff --git a/terraform/app.tf b/terraform/app.tf
index 7ac1421c..fd43444e 100644
--- a/terraform/app.tf
+++ b/terraform/app.tf
@@ -1,21 +1,21 @@
 locals {
   aytq_env_vars = merge(try(local.infrastructure_secrets, null),
     {
-      AZURE_STORAGE_ACCOUNT_NAME            = azurerm_storage_account.evidence.name,
-      AZURE_STORAGE_ACCESS_KEY              = azurerm_storage_account.evidence.primary_access_key,
-      AZURE_STORAGE_CONTAINER               = azurerm_storage_container.uploads.name
-      BIGQUERY_DATASET                      = "events_${var.environment_name}",
-      BIGQUERY_PROJECT_ID                   = "teaching-qualifications",
-      BIGQUERY_TABLE_NAME                   = "events",
-      CHECK_RECORDS_DOMAIN                  = var.check_domain != null ? "https://${var.check_domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
-      ConnectionStrings__Redis              = azurerm_redis_cache.redis.primary_connection_string
-      DATABASE_PASSWORD                     = local.infrastructure_secrets.POSTGRES_ADMIN_PASSWORD
-      DATABASE_URL                          = "postgres://postgres@${local.postgres_server_name}.postgres.database.azure.com:5432"
-      DOCKER_REGISTRY_SERVER_URL            = "https://ghcr.io",
-      HOSTING_DOMAIN                        = var.domain != null ? "https://${var.domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
-      HOSTING_ENVIRONMENT_NAME              = local.hosting_environment
-      RAILS_SERVE_STATIC_FILES              = "true"
-      REDIS_URL                             = "rediss://:${azurerm_redis_cache.redis.primary_access_key}@${azurerm_redis_cache.redis.hostname}:${azurerm_redis_cache.redis.ssl_port}/0"
+      AZURE_STORAGE_ACCOUNT_NAME = azurerm_storage_account.evidence.name,
+      AZURE_STORAGE_ACCESS_KEY   = azurerm_storage_account.evidence.primary_access_key,
+      AZURE_STORAGE_CONTAINER    = azurerm_storage_container.uploads.name
+      BIGQUERY_DATASET           = "events_${var.environment_name}",
+      BIGQUERY_PROJECT_ID        = "teaching-qualifications",
+      BIGQUERY_TABLE_NAME        = "events",
+      CHECK_RECORDS_DOMAIN       = var.check_domain != null ? "https://${var.check_domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
+      ConnectionStrings__Redis   = azurerm_redis_cache.redis.primary_connection_string
+      DATABASE_PASSWORD          = local.infrastructure_secrets.POSTGRES_ADMIN_PASSWORD
+      DATABASE_URL               = "postgres://postgres@${local.postgres_server_name}.postgres.database.azure.com:5432"
+      DOCKER_REGISTRY_SERVER_URL = "https://ghcr.io",
+      HOSTING_DOMAIN             = var.domain != null ? "https://${var.domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
+      HOSTING_ENVIRONMENT_NAME   = local.hosting_environment
+      RAILS_SERVE_STATIC_FILES   = "true"
+      REDIS_URL                  = "rediss://:${azurerm_redis_cache.redis.primary_access_key}@${azurerm_redis_cache.redis.hostname}:${azurerm_redis_cache.redis.ssl_port}/0"
     }
   )
 }
diff --git a/terraform/application/application.tf b/terraform/application/application.tf
index cdba3aaf..b33349f9 100644
--- a/terraform/application/application.tf
+++ b/terraform/application/application.tf
@@ -23,11 +23,11 @@ module "application_configuration" {
     BIGQUERY_TABLE_NAME        = "events"
     RAILS_SERVE_STATIC_FILES   = "true"
   }
-  secret_variables = {
+  secret_variables = merge({
     DATABASE_URL             = module.postgres.url
     REDIS_URL                = module.redis-cache.url
     AZURE_STORAGE_ACCESS_KEY = azurerm_storage_account.evidence.primary_access_key
-  }
+  }, local.federated_auth_secrets)
 }
 
 module "web_application" {
@@ -70,4 +70,5 @@ module "worker_application" {
   replicas                   = var.worker_replicas
   docker_image               = var.docker_image
   enable_logit               = true
+  enable_gcp_wif             = true
 }
diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json
index b9f09a74..a2f0fe23 100644
--- a/terraform/application/config/review.tfvars.json
+++ b/terraform/application/config/review.tfvars.json
@@ -3,5 +3,6 @@
   "namespace": "tra-development",
   "deploy_azure_backing_services": false,
   "enable_postgres_ssl": false,
-  "evidence_container_retention_in_days": 1
+  "evidence_container_retention_in_days": 1,
+  "enable_dfe_analytics_federated_auth": true
 }
diff --git a/terraform/application/dfe_analytics.tf b/terraform/application/dfe_analytics.tf
new file mode 100644
index 00000000..dc547d8c
--- /dev/null
+++ b/terraform/application/dfe_analytics.tf
@@ -0,0 +1,15 @@
+provider "google" {
+  project = "teaching-qualifications"
+}
+
+module "dfe_analytics" {
+  count  = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "./vendor/modules/terraform-modules//aks/dfe_analytics"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = var.environment
+  gcp_dataset           = "events_${var.config}"
+}
diff --git a/terraform/application/terraform.tf b/terraform/application/terraform.tf
index 5173676d..7967427a 100644
--- a/terraform/application/terraform.tf
+++ b/terraform/application/terraform.tf
@@ -10,8 +10,8 @@ terraform {
       version = "2.32.0"
     }
     statuscake = {
-     source  = "StatusCakeDev/statuscake"
-     version = "2.2.2"
+      source  = "StatusCakeDev/statuscake"
+      version = "2.2.2"
     }
   }
   backend "azurerm" {
@@ -42,5 +42,5 @@ provider "kubernetes" {
 }
 
 provider "statuscake" {
- api_token = module.infrastructure_secrets.map.STATUSCAKE-API-TOKEN
+  api_token = module.infrastructure_secrets.map.STATUSCAKE-API-TOKEN
 }
diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf
index 684f0a9d..f0e7fae8 100644
--- a/terraform/application/variables.tf
+++ b/terraform/application/variables.tf
@@ -89,6 +89,11 @@ variable "postgres_enable_high_availability" {
   default = false
 }
 
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+
 locals {
   postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
 
@@ -105,4 +110,8 @@ locals {
   # s189paytqevidpdsa vs s189daytqevidpr12345sa
   storage_account_environment   = var.config == var.environment ? var.config_short : replace(var.environment, "-", "")
   evidence_storage_account_name = "${local.azure_resource_prefix_short}aytqevid${local.storage_account_environment}sa"
+
+  federated_auth_secrets = var.enable_dfe_analytics_federated_auth ? {
+    GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics[0].google_cloud_credentials
+  } : {}
 }