diff --git a/.github/workflows/java_complete.yml b/.github/workflows/java_complete.yml
index 6527a80030..716cbc950d 100644
--- a/.github/workflows/java_complete.yml
+++ b/.github/workflows/java_complete.yml
@@ -40,6 +40,9 @@ jobs:
           path: ${{ github.workspace }}/docs/coverage/java/target/site/jacoco-aggregate/
 
   integration-test:
+    # all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
+    if: (github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'ok-to-test'))
+      || (github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved')))
     runs-on: ubuntu-latest
     needs: unit-test-java
     services:
@@ -72,6 +75,22 @@ jobs:
           key: ${{ runner.os }}-it-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-it-maven-
+      - name: Set up gcloud SDK
+        uses: google-github-actions/setup-gcloud@v0
+        with:
+          project_id: ${{ secrets.GCP_PROJECT_ID }}
+          service_account_key: ${{ secrets.GCP_SA_KEY }}
+          export_default_credentials: true
+      - name: Use gcloud CLI
+        run: gcloud info
+      - name: Set up AWS SDK
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+      - name: Use AWS CLI
+        run: aws sts get-caller-identity
       - name: Run integration tests
         run:  make test-java-integration
       - name: Save report