diff --git a/blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/main.tf b/blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/main.tf
index 543e9d72..5ced2e3c 100644
--- a/blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/main.tf
+++ b/blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/main.tf
@@ -49,12 +49,18 @@ resource "google_iam_workload_identity_pool_provider" "tfe-pool-provider" {
   workload_identity_pool_provider_id = var.workload_identity_pool_provider_id
   display_name                       = "TFE Pool Provider"
   description                        = "OIDC identity pool provider for TFE Integration"
-  # Use condition to make sure only token generated for a specific TFE Org and workspace can be used
-  attribute_condition = "attribute.terraform_workspace_id == \"${var.tfe_workspace_id}\" && attribute.terraform_organization_id == \"${var.tfe_organization_id}\""
+  # Use condition to make sure only token generated for a specific TFE Org can be used across org workspaces
+  attribute_condition = "attribute.terraform_organization_id == \"${var.tfe_organization_id}\""
   attribute_mapping = {
-    "google.subject"                      = "assertion.sub"
-    "attribute.terraform_organization_id" = "assertion.terraform_organization_id"
-    "attribute.terraform_workspace_id"    = "assertion.terraform_workspace_id"
+    "google.subject"                        = "assertion.sub"
+    "attribute.aud"                         = "assertion.aud"
+    "attribute.terraform_run_phase"         = "assertion.terraform_run_phase"
+    "attribute.terraform_workspace_id"      = "assertion.terraform_workspace_id"
+    "attribute.terraform_workspace_name"    = "assertion.terraform_workspace_name"
+    "attribute.terraform_organization_id"   = "assertion.terraform_organization_id"
+    "attribute.terraform_organization_name" = "assertion.terraform_organization_name"
+    "attribute.terraform_run_id"            = "assertion.terraform_run_id"
+    "attribute.terraform_full_workspace"    = "assertion.terraform_full_workspace"
   }
   oidc {
     # Should be different if self hosted TFE instance is used
@@ -72,7 +78,9 @@ module "sa-tfe" {
   name       = "sa-tfe"
 
   iam = {
-    "roles/iam.workloadIdentityUser" = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.tfe-pool.name}/*"]
+    # We allow only tokens generated by a specific TFE workspace impersonation of the service account,
+    # that way one identity pool can be used for a TFE Organization, but every workspace will be able to impersonate only a specifc SA
+    "roles/iam.workloadIdentityUser" = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.tfe-pool.name}/attribute.terraform_workspace_id/${var.tfe_workspace_id}"]
   }
 
   iam_project_roles = {