diff --git a/.github/workflows/ci-data.yml b/.github/workflows/ci-data.yml
index 1af8e145b7f3..75b0b52b17d5 100644
--- a/.github/workflows/ci-data.yml
+++ b/.github/workflows/ci-data.yml
@@ -42,7 +42,8 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          project_id: "ibis-gbq"
+          workload_identity_provider: "${{ vars.WIF_PROVIDER_NAME }}"
 
       - uses: google-github-actions/setup-gcloud@v2
 
diff --git a/.github/workflows/ibis-backends-cloud.yml b/.github/workflows/ibis-backends-cloud.yml
index b82faa859c21..1b1d3a0b7de1 100644
--- a/.github/workflows/ibis-backends-cloud.yml
+++ b/.github/workflows/ibis-backends-cloud.yml
@@ -15,11 +15,6 @@ on:
     types:
       - labeled
 
-permissions:
-  # this allows extractions/setup-just to list releases for `just` at a higher
-  # rate limit while restricting GITHUB_TOKEN permissions elsewhere
-  contents: read
-
 env:
   FORCE_COLOR: "1"
   SQLALCHEMY_WARN_20: "1"
@@ -79,6 +74,13 @@ jobs:
               key: snowpark
               extras:
                 - --extra snowflake
+    # this allows extractions/setup-just to list releases for `just` at a higher
+    # rate limit while restricting GITHUB_TOKEN permissions elsewhere
+    permissions:
+      contents: "read"
+      # required for GCP workload identity federation
+      id-token: "write"
+
     steps:
       - name: checkout
         uses: actions/checkout@v4
@@ -126,7 +128,8 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          project_id: "ibis-gbq"
+          workload_identity_provider: "${{ vars.WIF_PROVIDER_NAME }}"
 
       - name: setup databricks credentials
         if: matrix.backend.name == 'databricks'
diff --git a/.github/workflows/ibis-benchmarks.yml b/.github/workflows/ibis-benchmarks.yml
index 2a9de3a4877b..c605e0b7e161 100644
--- a/.github/workflows/ibis-benchmarks.yml
+++ b/.github/workflows/ibis-benchmarks.yml
@@ -43,7 +43,8 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          project_id: "ibis-gbq"
+          workload_identity_provider: "${{ vars.WIF_PROVIDER_NAME }}"
 
       - uses: google-github-actions/setup-gcloud@v2