diff --git a/.github/actions/deploy-environment-aks/action.yml b/.github/actions/deploy-environment-aks/action.yml
index ad0d05ede..13beb6431 100644
--- a/.github/actions/deploy-environment-aks/action.yml
+++ b/.github/actions/deploy-environment-aks/action.yml
@@ -33,6 +33,11 @@ runs:
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: teaching-qualifications
+        workload_identity_provider: projects/737868692824/locations/global/workloadIdentityPools/refer-serious-misconduct/providers/refer-serious-misconduct
+
     - name: Terraform Apply
       shell: bash
       run: |
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
index 7970f13cc..f6cb6e4e0 100644
--- a/.github/workflows/build-and-deploy.yml
+++ b/.github/workflows/build-and-deploy.yml
@@ -39,6 +39,9 @@ jobs:
     needs: [build_image]
     environment:
       name: aks-review
+    permissions:
+      pull-requests: write
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
@@ -77,6 +80,8 @@ jobs:
       url: ${{ steps.deploy.outputs.environment_url }}
     outputs:
       environment_name: ${{ matrix.environment }}
+    permissions:
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml
index a92700dce..646cdce59 100644
--- a/.github/workflows/delete-review-app.yml
+++ b/.github/workflows/delete-review-app.yml
@@ -10,6 +10,7 @@ on:
         description: PR number of review app to delete
         required: true
         type: string
+
 jobs:
   delete-review-app-aks:
     name: Delete Review App AKS ${{ github.event.pull_request.number }}
@@ -17,6 +18,10 @@ jobs:
     if: contains(github.event.pull_request.labels.*.name, 'deploy-aks') ||  ${{ github.event_name }} == 'workflow_dispatch'
     runs-on: ubuntu-latest
     environment: aks-review
+    permissions:
+      pull-requests: write
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -40,6 +45,11 @@ jobs:
         with:
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: teaching-qualifications
+          workload_identity_provider: projects/737868692824/locations/global/workloadIdentityPools/refer-serious-misconduct/providers/refer-serious-misconduct
+
       - name: Terraform Destroy
         run: |
           make ci aks-review aks-terraform-destroy PR_NUMBER=${{ env.PR_NUMBER }}
diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb
index d166aa45b..66c536e77 100644
--- a/config/initializers/dfe_analytics.rb
+++ b/config/initializers/dfe_analytics.rb
@@ -8,4 +8,5 @@
       disabled_by_default = Rails.env.development?
       ENV.fetch("BIGQUERY_DISABLE", disabled_by_default.to_s) != "true"
     end
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 end
diff --git a/terraform/application/application.tf b/terraform/application/application.tf
index 52d18ba42..ec4461e0d 100644
--- a/terraform/application/application.tf
+++ b/terraform/application/application.tf
@@ -19,12 +19,15 @@ module "application_configuration" {
     AZURE_STORAGE_CONTAINER    = azurerm_storage_container.uploads.name
     GROVER_NO_SANDBOX          = "true"
     PUPPETEER_EXECUTABLE_PATH  = "/usr/bin/chromium-browser"
+    BIGQUERY_DATASET           = var.dataset_name
+    BIGQUERY_PROJECT_ID        = "refer-serious-misconduct"
+    BIGQUERY_TABLE_NAME        = "events"
   }
-  secret_variables = {
+  secret_variables = merge({
     DATABASE_URL             = module.postgres.url
     REDIS_URL                = module.redis-cache.url
     AZURE_STORAGE_ACCESS_KEY = azurerm_storage_account.allegations.primary_access_key
-  }
+  }, local.federated_auth_secrets)
 }
 
 module "web_application" {
@@ -67,4 +70,5 @@ module "main_worker" {
   command                    = ["/bin/sh", "-c", "bundle exec sidekiq -C config/sidekiq.yml"]
   probe_command              = ["pgrep", "-f", "sidekiq"]
   enable_logit               = var.enable_logit
+  enable_gcp_wif             = true
 }
diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json
index 94b6abe79..816bd2e37 100644
--- a/terraform/application/config/review.tfvars.json
+++ b/terraform/application/config/review.tfvars.json
@@ -3,9 +3,11 @@
   "namespace": "tra-development",
   "deploy_azure_backing_services": false,
   "enable_postgres_ssl": false,
+  "dataset_name": "events_dev",
+  "enable_dfe_analytics_federated_auth": true,
   "webapp_startup_command": [
     "/bin/sh",
     "-c",
-    "bundle exec rails db:schema_load_or_migrate && bundle exec rails runner \"%i(eligibility_screener referral_form).each {|flag| FeatureFlags::FeatureFlag.activate(flag)}\" && bundle exec rails server -b 0.0.0.0"
+    "/usr/sbin/sshd && bundle exec rails db:migrate:ignore_concurrent_migration_exceptions && bundle exec rails runner \"%i(eligibility_screener referral_form).each {|flag| FeatureFlags::FeatureFlag.activate(flag)}\" && bundle exec rails server -b 0.0.0.0"
   ]
 }
diff --git a/terraform/application/config/test.tfvars.json b/terraform/application/config/test.tfvars.json
index 59313bf91..946bd50c3 100644
--- a/terraform/application/config/test.tfvars.json
+++ b/terraform/application/config/test.tfvars.json
@@ -1,5 +1,6 @@
 {
   "cluster": "test",
   "namespace": "tra-test",
-  "enable_postgres_backup_storage": true
+  "enable_postgres_backup_storage": true,
+  "dataset_name": "events_test"
 }
diff --git a/terraform/application/dfe_analytics.tf b/terraform/application/dfe_analytics.tf
new file mode 100644
index 000000000..1e3adb837
--- /dev/null
+++ b/terraform/application/dfe_analytics.tf
@@ -0,0 +1,15 @@
+provider "google" {
+  project = "refer-serious-misconduct"
+}
+
+module "dfe_analytics" {
+  count  = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "./vendor/modules/aks//aks/dfe_analytics"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = var.environment
+  gcp_dataset           = var.dataset_name
+}
diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf
index 2df8285ec..baea30144 100644
--- a/terraform/application/variables.tf
+++ b/terraform/application/variables.tf
@@ -103,6 +103,16 @@ variable "webapp_startup_command" {
   description = "Override Dockerfile startup command"
 }
 
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+
+variable "dataset_name" {
+  description = "dfe analytics dataset name in Google Bigquery"
+  default     = null
+}
+
 locals {
   postgres_ssl_mode                = var.enable_postgres_ssl ? "require" : "disable"
   storage_account_environment      = var.config == var.environment ? var.config_short : replace(var.environment, "-", "")
@@ -111,4 +121,8 @@ locals {
   environment_variables = yamldecode(file("${path.module}/config/${var.config}.yml"))
   ingress_domain  = "${var.service_name}-${var.environment}.${module.cluster_data.ingress_domain}"
   external_domain = try(local.environment_variables["EXTERNAL_DOMAIN"], local.ingress_domain)
+
+  federated_auth_secrets = var.enable_dfe_analytics_federated_auth ? {
+    GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics[0].google_cloud_credentials
+  } : {}
 }