diff --git a/.gitlab/ci/as-if-jh.gitlab-ci.yml b/.gitlab/ci/as-if-jh.gitlab-ci.yml
index 6c1c3357089bf3fe7be365bdaee26de957fd36c0..1c7055b1f941344e8b802ca29aaf4b23c5cf011d 100644
--- a/.gitlab/ci/as-if-jh.gitlab-ci.yml
+++ b/.gitlab/ci/as-if-jh.gitlab-ci.yml
@@ -1,7 +1,6 @@
 .as-if-jh-sandbox-variables:
   variables:
     AS_IF_JH_BRANCH: "as-if-jh/${CI_COMMIT_REF_NAME}"
-    JH_MIRROR_REPOSITORY: "https://dummy:${ADD_JH_FILES_TOKEN}@gitlab.com/gitlab-org/gitlab-jh-mirrors/gitlab.git"
     SANDBOX_REPOSITORY: "https://dummy:${AS_IF_JH_TOKEN}@gitlab.com/gitlab-org-sandbox/gitlab-jh-validation.git"
 
 .shared-as-if-jh:
@@ -14,12 +13,20 @@
 add-jh-files:
   extends:
     - .shared-as-if-jh
+    - .with_secret
     - .as-if-jh:rules:prepare-as-if-jh
   image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}ruby:${RUBY_VERSION}
   stage: prepare
   needs: []
+  secrets:
+    ADD_JH_FILES_TOKEN:
+      gcp_secret_manager:
+        name: ADD_JH_FILES_TOKEN
+      token: $GCP_ID_TOKEN
   before_script:
     - source ./scripts/utils.sh
+    - export ADD_JH_FILES_TOKEN="$(cat ${ADD_JH_FILES_TOKEN})"
+    - export JH_MIRROR_REPOSITORY="https://dummy:${ADD_JH_FILES_TOKEN}@gitlab.com/gitlab-org/gitlab-jh-mirrors/gitlab.git"
     - source ./scripts/setup/as-if-jh.sh
     - install_gitlab_gem
   script:
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 2974ace34c406769b2e20fd0d14bdc63ea7de125..2e42283eff04a03494eb6081cbc48a2f3fe79048 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -514,3 +514,8 @@
       curl -f --header "Private-Token: ${PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE}" "${url}" --create-dirs --output scripts/utils.sh
     - source scripts/utils.sh
     - run_timed_command "download_files ${FILES_TO_DOWNLOAD}"
+
+.with_secret:
+  id_tokens:
+    GCP_ID_TOKEN:
+      aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID}