diff --git a/lib/gitlab/ci/jwt_v2.rb b/lib/gitlab/ci/jwt_v2.rb
index 90db9d13d85908d7f70b53d584f52b6529084516..e559615b7a643b188af770cf88e81d8e91e8039f 100644
--- a/lib/gitlab/ci/jwt_v2.rb
+++ b/lib/gitlab/ci/jwt_v2.rb
@@ -9,25 +9,27 @@ class JwtV2 < Jwt
       GITLAB_HOSTED_RUNNER = 'gitlab-hosted'
       SELF_HOSTED_RUNNER = 'self-hosted'
 
-      def self.for_build(build, aud: DEFAULT_AUD)
-        new(build, ttl: build.metadata_timeout, aud: aud).encoded
+      def self.for_build(build, aud: DEFAULT_AUD, wlif: nil)
+        new(build, ttl: build.metadata_timeout, aud: aud, wlif: wlif).encoded
       end
 
-      def initialize(build, ttl:, aud:)
+      def initialize(build, ttl:, aud:, wlif:)
         super(build, ttl: ttl)
 
         @aud = aud
+        @wlif = wlif
       end
 
       private
 
-      attr_reader :aud
+      attr_reader :aud, :wlif
 
       def reserved_claims
         super.merge({
           iss: Feature.enabled?(:oidc_issuer_url) ? Gitlab.config.gitlab.url : Settings.gitlab.base_url,
           sub: "project_path:#{project.full_path}:ref_type:#{ref_type}:ref:#{source_ref}",
-          aud: aud
+          aud: aud,
+          wlif: wlif
         }.compact)
       end
 
diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb
index f0b203961b40c6bb152cbe991b2e9a465498c2a9..ee0b7e8c5d07f5e3f8a90e9047b37604673c322e 100644
--- a/spec/lib/gitlab/ci/jwt_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::Ci::Jwt do
+RSpec.describe Gitlab::Ci::Jwt, feature_category: :secrets_management do
   let(:namespace) { build_stubbed(:namespace) }
   let(:project) { build_stubbed(:project, namespace: namespace) }
   let(:user) { build_stubbed(:user) }
diff --git a/spec/lib/gitlab/ci/jwt_v2_spec.rb b/spec/lib/gitlab/ci/jwt_v2_spec.rb
index 1093e6331cdaaf4662c4d66b01b3e40e7eb343a4..7a51e905a14fdf68742a842d746ec88d87abe8ad 100644
--- a/spec/lib/gitlab/ci/jwt_v2_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_v2_spec.rb
@@ -15,6 +15,7 @@
   let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19') }
   let(:runner) { build_stubbed(:ci_runner) }
   let(:aud) { described_class::DEFAULT_AUD }
+  let(:wlif) { nil }
 
   let(:build) do
     build_stubbed(
@@ -26,7 +27,7 @@
     )
   end
 
-  subject(:ci_job_jwt_v2) { described_class.new(build, ttl: 30, aud: aud) }
+  subject(:ci_job_jwt_v2) { described_class.new(build, ttl: 30, aud: aud, wlif: wlif) }
 
   it { is_expected.to be_a Gitlab::Ci::Jwt }
 
@@ -79,6 +80,18 @@
       it 'uses that aud in the payload' do
         expect(payload[:aud]).to eq('AWS')
       end
+
+      it 'does not use wlif claim in the payload' do
+        expect(payload.include?(:wlif)).to be_falsey
+      end
+    end
+
+    context 'when given an wlif claim' do
+      let(:wlif) { '//iam.googleapis.com/foo' }
+
+      it 'uses specified wlif in the payload' do
+        expect(payload[:wlif]).to eq(wlif)
+      end
     end
 
     describe 'custom claims' do