diff --git a/src/config/hub-and-spoke-firewall.tfvars b/src/config/hub-and-spoke-firewall.tfvars
index 84464cc..6cd1f29 100644
--- a/src/config/hub-and-spoke-firewall.tfvars
+++ b/src/config/hub-and-spoke-firewall.tfvars
@@ -35,6 +35,26 @@ labels = {
 #   plan_name = "Observability-Starter-EU01"
 # }
 
+# # Federated identity providers for the management service account (e.g. GitHub Actions OIDC)
+# federated_identity_providers = [
+#   {
+#     name   = "gh-actions"
+#     issuer = "https://token.actions.githubusercontent.com"
+#     assertions = [
+#       {
+#         item     = "aud"
+#         operator = "equals"
+#         value    = "sts.accounts.stackit.cloud"
+#       },
+#       {
+#         item     = "sub"
+#         operator = "equals"
+#         value    = "repo:my-org/my-repo:ref:refs/heads/main"
+#       }
+#     ]
+#   }
+# ]
+
 ##################
 ## CONNECTIVITY ##
 ##################
diff --git a/src/config/hub-and-spoke.tfvars b/src/config/hub-and-spoke.tfvars
index 33a46fb..d6c96bf 100644
--- a/src/config/hub-and-spoke.tfvars
+++ b/src/config/hub-and-spoke.tfvars
@@ -35,6 +35,26 @@ labels = {
 #   plan_name = "Observability-Starter-EU01"
 # }
 
+# # Federated identity providers for the management service account (e.g. GitHub Actions OIDC)
+# federated_identity_providers = [
+#   {
+#     name   = "gh-actions"
+#     issuer = "https://token.actions.githubusercontent.com"
+#     assertions = [
+#       {
+#         item     = "aud"
+#         operator = "equals"
+#         value    = "sts.accounts.stackit.cloud"
+#       },
+#       {
+#         item     = "sub"
+#         operator = "equals"
+#         value    = "repo:my-org/my-repo:ref:refs/heads/main"
+#       }
+#     ]
+#   }
+# ]
+
 ##################
 ## CONNECTIVITY ##
 ##################
diff --git a/src/config/standalone.tfvars b/src/config/standalone.tfvars
index 71c99a1..a662541 100644
--- a/src/config/standalone.tfvars
+++ b/src/config/standalone.tfvars
@@ -31,6 +31,26 @@ labels = {
 #   "auditor@example.com"
 # ]
 
+# # Federated identity providers for the management service account (e.g. GitHub Actions OIDC)
+# federated_identity_providers = [
+#   {
+#     name   = "gh-actions"
+#     issuer = "https://token.actions.githubusercontent.com"
+#     assertions = [
+#       {
+#         item     = "aud"
+#         operator = "equals"
+#         value    = "sts.accounts.stackit.cloud"
+#       },
+#       {
+#         item     = "sub"
+#         operator = "equals"
+#         value    = "repo:my-org/my-repo:ref:refs/heads/main"
+#       }
+#     ]
+#   }
+# ]
+
 ############
 ## DEVOPS ##
 ############
diff --git a/src/main.tf b/src/main.tf
index 8469371..ef7d809 100644
--- a/src/main.tf
+++ b/src/main.tf
@@ -21,12 +21,13 @@ module "governance" {
 module "management" {
   source = "./modules/management"
 
-  owner_email         = var.owner_email
-  naming_pattern      = "${var.company_code}-pltfm-mgmt-prod"
-  parent_container_id = module.governance.folder_container_ids["platform"]
-  organization_id     = var.organization_id
-  labels              = var.labels
-  observability       = var.observability
+  owner_email                  = var.owner_email
+  naming_pattern               = "${var.company_code}-pltfm-mgmt-prod"
+  parent_container_id          = module.governance.folder_container_ids["platform"]
+  organization_id              = var.organization_id
+  labels                       = var.labels
+  observability                = var.observability
+  federated_identity_providers = var.federated_identity_providers
 }
 
 ##################
diff --git a/src/modules/management/4-service-account.tf b/src/modules/management/4-service-account.tf
index 96d66b8..4652731 100644
--- a/src/modules/management/4-service-account.tf
+++ b/src/modules/management/4-service-account.tf
@@ -33,4 +33,19 @@ resource "vault_kv_secret_v2" "service_account_key_automation" {
   cas                 = 1
   delete_all_versions = true
   data_json           = stackit_service_account_key.automation.json
+}
+
+##############################
+## FEDERATED IDENTITY PROVIDER
+##############################
+
+resource "stackit_service_account_federated_identity_provider" "this" {
+  for_each = { for idx, fip in var.federated_identity_providers : fip.name => fip }
+
+  project_id            = stackit_resourcemanager_project.this.project_id
+  service_account_email = stackit_service_account.automation.email
+  name                  = each.value.name
+  issuer                = each.value.issuer
+
+  assertions = each.value.assertions
 }
\ No newline at end of file
diff --git a/src/modules/management/variables.tf b/src/modules/management/variables.tf
index e536fd2..a5e5ed6 100644
--- a/src/modules/management/variables.tf
+++ b/src/modules/management/variables.tf
@@ -51,4 +51,18 @@ variable "role_assignments" {
   }))
   description = "List of role assignments for the project. Subject can be a user email or service account email."
   default     = []
+}
+
+variable "federated_identity_providers" {
+  type = list(object({
+    name   = string
+    issuer = string
+    assertions = list(object({
+      item     = string
+      operator = string
+      value    = string
+    }))
+  }))
+  description = "List of federated identity providers to configure for the management service account."
+  default     = []
 }
\ No newline at end of file
diff --git a/src/variables.tf b/src/variables.tf
index 8e264b1..0b707b5 100644
--- a/src/variables.tf
+++ b/src/variables.tf
@@ -69,6 +69,20 @@ variable "observability" {
   default     = null
 }
 
+variable "federated_identity_providers" {
+  type = list(object({
+    name   = string
+    issuer = string
+    assertions = list(object({
+      item     = string
+      operator = string
+      value    = string
+    }))
+  }))
+  description = "List of federated identity providers to configure for the management service account."
+  default     = []
+}
+
 variable "rm_folders" {
   type = map(object({
     name          = string