diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5f828ac582db903a89dc331a7a519d212d397ee7..71a7e0622204c81fcc35c1143421f6c029c8860b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [7.1.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.1.0...7.1.1) (2025-02-03)
+
+
+### Bug Fixes
+
+* **gcp:** reduce scope of GCP App Default Creds script to template ([8a3c727](https://gitlab.com/to-be-continuous/kubernetes/commit/8a3c72777b9bcc1dbb205464903c00feb6ccf753))
+
 # [7.1.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.0.0...7.1.0) (2025-02-01)
 
 
diff --git a/README.md b/README.md
index 618e4d40624ded26b10246c1ddd175e5c53f69a9..757b93f65c30a868e4d2e4e52e3a246ba9063ef3 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
   # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.1.1
     # 2: set/override component inputs
     inputs:
       # ⚠ this is only an example
@@ -35,7 +35,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
   # 1: include the template
   - project: 'to-be-continuous/kubernetes'
-    ref: '7.1.0'
+    ref: '7.1.1'
     file: '/templates/gitlab-ci-k8s.yml'
 
 variables:
@@ -523,12 +523,12 @@ With:
 ```yaml
 include:
   # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.1.1
     inputs:
       # ⚠ oc-container image (includes required curl)
       kubectl-image: registry.hub.docker.com/docker.io/appuio/oc:v4.14
   # Vault variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s-vault@7.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s-vault@7.1.1
     inputs:
       # audience claim for JWT
       vault-oidc-aud: "https://vault.acme.host"
@@ -589,9 +589,9 @@ With a common default `GCP_OIDC_PROVIDER` and `GCP_OIDC_ACCOUNT` configuration f
 ```yaml
 include:
   # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8s@7.1.1
   # Google Cloud variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8ss-gcp@7.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/kubernetes/gitlab-ci-k8ss-gcp@7.1.1
     inputs:
       # common OIDC config for non-prod envs
       gcp-oidc-provider: "projects/<gcp_nonprod_proj_id>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>"
diff --git a/templates/gitlab-ci-k8s-vault.yml b/templates/gitlab-ci-k8s-vault.yml
index bdaf7e03b536b4bf9b8d8d4930f055d43702e42d..0e8355a9fc5bd88ccede027a23ad8c2c3d0bb2c4 100644
--- a/templates/gitlab-ci-k8s-vault.yml
+++ b/templates/gitlab-ci-k8s-vault.yml
@@ -22,7 +22,7 @@ variables:
 .k8s-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "--port", "8082", "kubernetes", "7.1.0"]
+      command: ["--service", "--port", "8082", "kubernetes", "7.1.1"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
   variables:
diff --git a/templates/gitlab-ci-k8s.yml b/templates/gitlab-ci-k8s.yml
index 78e545f3e47751e6f65ef7f6cad1b706ae4282c5..0a38b169c5c4c0de18013adbae753c3cebbfde07 100644
--- a/templates/gitlab-ci-k8s.yml
+++ b/templates/gitlab-ci-k8s.yml
@@ -862,7 +862,7 @@ stages:
     entrypoint: [""]
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "kubernetes", "7.1.0"]
+      command: ["--service", "kubernetes", "7.1.1"]
   before_script:
     - !reference [.k8s-scripts]
     - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"