diff --git a/.github/actions/setup-rust/action.yml b/.github/actions/setup-rust/action.yml
new file mode 100644
index 000000000..ca70664d5
--- /dev/null
+++ b/.github/actions/setup-rust/action.yml
@@ -0,0 +1,38 @@
+name: "Setup Rust"
+description: "Sets up the correct Rust version and caching via sccache and a GCP backend"
+inputs:
+  targets:
+    description: "Additional targets to install"
+    required: false
+    default: ""
+runs:
+  using: "composite"
+  steps:
+    - id: auth
+      uses: google-github-actions/auth@v1
+      with:
+        workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
+        service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
+    - run: |
+        echo "SCCACHE_GCS_BUCKET=firezone-sccache" >> $GITHUB_ENV
+        echo "SCCACHE_GCS_RW_MODE=READ_WRITE" >> $GITHUB_ENV
+      shell: bash
+    - uses: mozilla-actions/sccache-action@v0.0.3
+    - run: echo "RUSTC_WRAPPER=$SCCACHE_PATH" >> $GITHUB_ENV
+      shell: bash
+    - name: Extract Rust version
+      run: |
+        RUST_TOOLCHAIN=$(grep 'channel' rust-toolchain.toml | awk -F '"' '{print $2}')
+        echo "RUST_TOOLCHAIN=$RUST_TOOLCHAIN" >> $GITHUB_ENV
+      shell: bash
+      working-directory: ./rust
+    - uses: dtolnay/rust-toolchain@master
+      with:
+        toolchain: ${{ env.RUST_TOOLCHAIN }}
+        components: rustfmt,clippy
+    - run: rustup target add ${{ inputs.targets }}
+      if: inputs.targets != ''
+      shell: bash
+    - name: Start sccache
+      run: $SCCACHE_PATH --start-server
+      shell: bash
diff --git a/.github/workflows/kotlin.yml b/.github/workflows/kotlin.yml
index b4d3222d1..2eb7d3647 100644
--- a/.github/workflows/kotlin.yml
+++ b/.github/workflows/kotlin.yml
@@ -2,6 +2,10 @@ name: Kotlin
 on:
   workflow_call:
 
+permissions:
+  contents: 'read'
+  id-token: 'write'
+
 jobs:
   static-analysis:
     runs-on: ubuntu-22.04
@@ -32,12 +36,9 @@ jobs:
         working-directory: ./kotlin/android
     steps:
       - uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
+      - uses: ./.github/actions/setup-rust
         with:
-          workspaces: ./rust
-          key: ubuntu-22.04-${{ runner.arch }}
-          save-if: ${{ github.ref == 'refs/heads/main' }}
-      - uses: dtolnay/rust-toolchain@stable
+          targets: armv7-linux-androideabi aarch64-linux-android x86_64-linux-android
       - uses: actions/setup-java@v3
         with:
           distribution: oracle
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 10b0ec076..34a5cb2fe 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -6,6 +6,10 @@ defaults:
   run:
     working-directory: ./rust
 
+permissions:
+  contents: 'read'
+  id-token: 'write'
+
 jobs:
   static-analysis:
     strategy:
@@ -27,14 +31,7 @@ jobs:
     runs-on: ${{ matrix.runs-on }}
     steps:
       - uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: ./rust
-          save-if: ${{ github.ref == 'refs/heads/main' }}
-          key: ${{ matrix.runs-on }}-${{ runner.arch }}
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          components: rustfmt,clippy
+      - uses: ./.github/actions/setup-rust
       - run: cargo fmt -- --check
       - run: |
           cargo doc --all-features --no-deps --document-private-items ${{ matrix.packages }}
@@ -42,6 +39,7 @@ jobs:
           RUSTDOCFLAGS: "-D warnings"
       - run: |
           cargo clippy --all-targets --all-features ${{ matrix.packages }} -- -D warnings
+
   test:
     strategy:
       fail-fast: false
@@ -63,13 +61,7 @@ jobs:
     runs-on: ${{ matrix.runs-on }}
     steps:
       - uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
-        with:
-          # Prevents runner.os caches from conflicting
-          key: ${{ matrix.runs-on }}-${{ runner.arch }}
-          workspaces: ./rust
-          save-if: ${{ github.ref == 'refs/heads/main' }}
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: ./.github/actions/setup-rust
       - run: cargo test --all-features ${{ matrix.packages }}
 
   smoke-test-relay:
@@ -79,10 +71,5 @@ jobs:
         working-directory: ./rust/relay
     steps:
       - uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: ./rust
-          key: ubuntu-22.04-${{ runner.arch }}
-          save-if: ${{ github.ref == 'refs/heads/main' }}
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: ./.github/actions/setup-rust
       - run: ./run_smoke_test.sh
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index 7d33ceae2..9ded0d6df 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -7,12 +7,6 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: ./rust
-          key: ubuntu-22.04-${{ runner.arch }}
-          save-if: ${{ github.ref == 'refs/heads/main' }}
-      - uses: dtolnay/rust-toolchain@stable
       - name: Check version is up to date
         run: |
           make version
diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml
index 36929bdfa..b58a9e3b7 100644
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -39,17 +39,15 @@ jobs:
             destination: generic/platform=iOS
     permissions:
       contents: read
+      id-token: 'write'
     defaults:
       run:
         working-directory: ./swift/apple
     steps:
       - uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
+      - uses: ./.github/actions/setup-rust
         with:
-          workspaces: ./rust
-          key: ${{ matrix.runs-on }}-${{ runner.arch }}
-          save-if: ${{ github.ref == 'refs/heads/main' }}
-      - uses: dtolnay/rust-toolchain@stable
+          targets: aarch64-apple-darwin aarch64-apple-ios
       - uses: actions/cache/restore@v3
         name: Restore Swift DerivedData Cache
         with:
diff --git a/rust/connlib/clients/android/connlib/build.gradle.kts b/rust/connlib/clients/android/connlib/build.gradle.kts
index 728bbe813..a88a0bef6 100644
--- a/rust/connlib/clients/android/connlib/build.gradle.kts
+++ b/rust/connlib/clients/android/connlib/build.gradle.kts
@@ -99,6 +99,8 @@ cargo {
     module = "../"
     libname = "connlib"
     targets = listOf("arm", "arm64", "x86_64")
+    targetDirectory = "../../../../target"
+    targetIncludes = arrayOf("connlib.dylib")
 }
 
 tasks.register("copyJniSharedObjectsDebug") {
diff --git a/rust/connlib/clients/apple/build-rust.sh b/rust/connlib/clients/apple/build-rust.sh
index 4abf27b4b..3b42a5c6f 100755
--- a/rust/connlib/clients/apple/build-rust.sh
+++ b/rust/connlib/clients/apple/build-rust.sh
@@ -28,6 +28,9 @@ for var in $(env | awk -F= '{print $1}'); do
   && [[ "$var" != "SYMROOT" ]] \
   && [[ "$var" != "SRCROOT" ]] \
   && [[ "$var" != "TARGETED_DEVICE_FAMILY" ]] \
+  && [[ "$var" != "RUSTC_WRAPPER" ]] \
+  && [[ "$var" != "SCCACHE_GCS_BUCKET" ]] \
+  && [[ "$var" != "SCCACHE_GCS_RW_MODE" ]] \
   && [[ "$var" != "CONNLIB_TARGET_DIR" ]]; then
   unset $var
   fi
diff --git a/rust/rust-toolchain.toml b/rust/rust-toolchain.toml
index 3316c1cff..8142c3012 100644
--- a/rust/rust-toolchain.toml
+++ b/rust/rust-toolchain.toml
@@ -1,12 +1,2 @@
 [toolchain]
 channel = "1.73.0"
-components = ["rustfmt", "clippy"]
-targets = [
-  "x86_64-unknown-linux-musl",
-  "x86_64-linux-android",
-  "x86_64-apple-darwin",
-  "aarch64-apple-darwin",
-  "aarch64-apple-ios",
-  "aarch64-linux-android",
-  "armv7-linux-androideabi",
-]