diff --git a/lib/ansible/modules/cloud/google/gcp_pubsub_subscription.py b/lib/ansible/modules/cloud/google/gcp_pubsub_subscription.py
index 3339ac4ace7..8963a6cf514 100644
--- a/lib/ansible/modules/cloud/google/gcp_pubsub_subscription.py
+++ b/lib/ansible/modules/cloud/google/gcp_pubsub_subscription.py
@@ -78,6 +78,32 @@ options:
     required: false
     type: dict
     suboptions:
+      oidc_token:
+        description:
+        - If specified, Pub/Sub will generate and attach an OIDC JWT token as an Authorization
+          header in the HTTP request for every pushed message.
+        required: false
+        type: dict
+        version_added: '2.10'
+        suboptions:
+          service_account_email:
+            description:
+            - Service account email to be used for generating the OIDC token.
+            - The caller (for subscriptions.create, subscriptions.patch, and subscriptions.modifyPushConfig
+              RPCs) must have the iam.serviceAccounts.actAs permission for the service
+              account.
+            required: true
+            type: str
+          audience:
+            description:
+            - 'Audience to be used when generating OIDC token. The audience claim
+              identifies the recipients that the JWT is intended for. The audience
+              value is a single case-sensitive string. Having multiple values (array)
+              for the audience field is not supported. More info about the OIDC JWT
+              token audience here: U(https://tools.ietf.org/html/rfc7519#section-4.1.3)
+              Note: if not specified, the Push endpoint URL will be used.'
+            required: false
+            type: str
       push_endpoint:
         description:
         - A URL locating the endpoint to which messages should be pushed.
@@ -262,6 +288,31 @@ pushConfig:
   returned: success
   type: complex
   contains:
+    oidcToken:
+      description:
+      - If specified, Pub/Sub will generate and attach an OIDC JWT token as an Authorization
+        header in the HTTP request for every pushed message.
+      returned: success
+      type: complex
+      contains:
+        serviceAccountEmail:
+          description:
+          - Service account email to be used for generating the OIDC token.
+          - The caller (for subscriptions.create, subscriptions.patch, and subscriptions.modifyPushConfig
+            RPCs) must have the iam.serviceAccounts.actAs permission for the service
+            account.
+          returned: success
+          type: str
+        audience:
+          description:
+          - 'Audience to be used when generating OIDC token. The audience claim identifies
+            the recipients that the JWT is intended for. The audience value is a single
+            case-sensitive string. Having multiple values (array) for the audience
+            field is not supported. More info about the OIDC JWT token audience here:
+            U(https://tools.ietf.org/html/rfc7519#section-4.1.3) Note: if not specified,
+            the Push endpoint URL will be used.'
+          returned: success
+          type: str
     pushEndpoint:
       description:
       - A URL locating the endpoint to which messages should be pushed.
@@ -368,7 +419,14 @@ def main():
             name=dict(required=True, type='str'),
             topic=dict(required=True, type='dict'),
             labels=dict(type='dict'),
-            push_config=dict(type='dict', options=dict(push_endpoint=dict(required=True, type='str'), attributes=dict(type='dict'))),
+            push_config=dict(
+                type='dict',
+                options=dict(
+                    oidc_token=dict(type='dict', options=dict(service_account_email=dict(required=True, type='str'), audience=dict(type='str'))),
+                    push_endpoint=dict(required=True, type='str'),
+                    attributes=dict(type='dict'),
+                ),
+            ),
             ack_deadline_seconds=dict(type='int'),
             message_retention_duration=dict(default='604800s', type='str'),
             retain_acked_messages=dict(type='bool'),
@@ -561,10 +619,37 @@ class SubscriptionPushconfig(object):
             self.request = {}
 
     def to_request(self):
-        return remove_nones_from_dict({u'pushEndpoint': self.request.get('push_endpoint'), u'attributes': self.request.get('attributes')})
+        return remove_nones_from_dict(
+            {
+                u'oidcToken': SubscriptionOidctoken(self.request.get('oidc_token', {}), self.module).to_request(),
+                u'pushEndpoint': self.request.get('push_endpoint'),
+                u'attributes': self.request.get('attributes'),
+            }
+        )
+
+    def from_response(self):
+        return remove_nones_from_dict(
+            {
+                u'oidcToken': SubscriptionOidctoken(self.request.get(u'oidcToken', {}), self.module).from_response(),
+                u'pushEndpoint': self.request.get(u'pushEndpoint'),
+                u'attributes': self.request.get(u'attributes'),
+            }
+        )
+
+
+class SubscriptionOidctoken(object):
+    def __init__(self, request, module):
+        self.module = module
+        if request:
+            self.request = request
+        else:
+            self.request = {}
+
+    def to_request(self):
+        return remove_nones_from_dict({u'serviceAccountEmail': self.request.get('service_account_email'), u'audience': self.request.get('audience')})
 
     def from_response(self):
-        return remove_nones_from_dict({u'pushEndpoint': self.request.get(u'pushEndpoint'), u'attributes': self.request.get(u'attributes')})
+        return remove_nones_from_dict({u'serviceAccountEmail': self.request.get(u'serviceAccountEmail'), u'audience': self.request.get(u'audience')})
 
 
 class SubscriptionExpirationpolicy(object):
diff --git a/lib/ansible/modules/cloud/google/gcp_pubsub_subscription_info.py b/lib/ansible/modules/cloud/google/gcp_pubsub_subscription_info.py
index 131acffe54c..44e51b231d2 100644
--- a/lib/ansible/modules/cloud/google/gcp_pubsub_subscription_info.py
+++ b/lib/ansible/modules/cloud/google/gcp_pubsub_subscription_info.py
@@ -127,6 +127,31 @@ resources:
       returned: success
       type: complex
       contains:
+        oidcToken:
+          description:
+          - If specified, Pub/Sub will generate and attach an OIDC JWT token as an
+            Authorization header in the HTTP request for every pushed message.
+          returned: success
+          type: complex
+          contains:
+            serviceAccountEmail:
+              description:
+              - Service account email to be used for generating the OIDC token.
+              - The caller (for subscriptions.create, subscriptions.patch, and subscriptions.modifyPushConfig
+                RPCs) must have the iam.serviceAccounts.actAs permission for the service
+                account.
+              returned: success
+              type: str
+            audience:
+              description:
+              - 'Audience to be used when generating OIDC token. The audience claim
+                identifies the recipients that the JWT is intended for. The audience
+                value is a single case-sensitive string. Having multiple values (array)
+                for the audience field is not supported. More info about the OIDC
+                JWT token audience here: U(https://tools.ietf.org/html/rfc7519#section-4.1.3)
+                Note: if not specified, the Push endpoint URL will be used.'
+              returned: success
+              type: str
         pushEndpoint:
           description:
           - A URL locating the endpoint to which messages should be pushed.