diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b1cb7c698..cf51d75a7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,8 +15,8 @@ permissions:
   contents: read
 
 env:
-  ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-agent-rum-js-ci' }}
-  ELASTIC_CDN_CREDENTIALS: ${{ inputs.dry-run == false && 'secret/gce/elastic-cdn/service-account/apm-rum-admin' || 'secret/observability-team/ci/service-account/apm-agent-rum-js' }}
+  ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-rum-test' }}
+  ELASTIC_CDN_PROJECT_NUMBER: ${{ inputs.dry-run == false && '382950469386' || '911195782929' }}
   SLACK_BUILD_MESSAGE: "Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)"
 
 jobs:
@@ -25,6 +25,7 @@ jobs:
     permissions:
       # Needed to write the release changelog
       contents: write
+      id-token: write
     services:
       verdaccio:
         image: verdaccio/verdaccio:5
@@ -61,21 +62,13 @@ jobs:
           echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc
           npm run ci:release
 
-      - name: Read GCE vault secrets
-        uses: hashicorp/vault-action@v3.0.0
+        # The permissions configuration for this can be found at
+        # https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/apm-agent-rum-js/02-gcp-oidc-elastic-cdn.tf
+        # and
+        # https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/apm-agent-rum-js/02-gcp-oidc-elastic-observability.tf
+      - uses: elastic/oblt-actions/google/auth@v1
         with:
-          method: approle
-          url: ${{ secrets.VAULT_ADDR }}
-          roleId: ${{ secrets.VAULT_ROLE_ID }}
-          secretId: ${{ secrets.VAULT_SECRET_ID }}
-          secrets: |
-            ${{ env.ELASTIC_CDN_CREDENTIALS }} value | GOOGLE_CREDENTIALS ;
-
-      - name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v2'
-        with:
-          credentials_json: '${{ env.GOOGLE_CREDENTIALS }}'
-          create_credentials_file: true
+          project-number: ${{ env.ELASTIC_CDN_PROJECT_NUMBER }}
 
       - id: prepare-release
         name: 'Prepare CDN release'