diff --git a/ci/cloudbuild/builds/lib/universe_domain.sh b/ci/cloudbuild/builds/lib/universe_domain.sh
new file mode 100644
index 000000000000..63c27c627877
--- /dev/null
+++ b/ci/cloudbuild/builds/lib/universe_domain.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Make our include guard clean against set -o nounset.
+test -n "${CI_CLOUDBUILD_BUILDS_LIB_UNIVERSE_DOMAIN_SH__:-}" || declare -i CI_CLOUDBUILD_BUILDS_LIB_UNIVERSE_DOMAIN_SH__=0
+if ((CI_CLOUDBUILD_BUILDS_LIB_UNIVERSE_DOMAIN_SH__++ != 0)); then
+  return 0
+fi # include guard
+
+# Only create the SA key file if the secret is available.
+if [[ -n "${UD_SERVICE_ACCOUNT}" ]]; then
+  ORIG_UMASK=$(umask)
+  umask 077
+  UD_SA_KEY_FILE=$(mktemp)
+  echo "${UD_SERVICE_ACCOUNT}" >"${UD_SA_KEY_FILE}"
+  umask "${ORIG_UMASK}"
+fi
+
+function ud::bazel_run() {
+  io::log "Executing bazel run $1 with obscured arguments:"
+  bazel run --ui_event_filters=-info -- "$@"
+}
diff --git a/ci/cloudbuild/builds/universe-domain-demo.sh b/ci/cloudbuild/builds/universe-domain-demo.sh
new file mode 100755
index 000000000000..fd356cf41022
--- /dev/null
+++ b/ci/cloudbuild/builds/universe-domain-demo.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eo pipefail
+
+source "$(dirname "$0")/../../lib/init.sh"
+source module ci/lib/io.sh
+source module ci/cloudbuild/builds/lib/bazel.sh
+source module ci/cloudbuild/builds/lib/cloudcxxrc.sh
+source module ci/cloudbuild/builds/lib/universe_domain.sh
+
+export CC=clang
+export CXX=clang++
+
+if [[ -n "${UD_SA_KEY_FILE}" ]]; then
+  ud::bazel_run //google/cloud/universe_domain/demo:kms_demo \
+    "${UD_PROJECT}" "${UD_REGION}" "${UD_SA_KEY_FILE}"
+else
+  source module ci/etc/integration-tests-config.sh
+  bazel run -- //google/cloud/universe_domain/demo:kms_demo \
+    "${GOOGLE_CLOUD_PROJECT}" "${GOOGLE_CLOUD_CPP_TEST_REGION}"
+fi
diff --git a/ci/cloudbuild/cloudbuild.yaml b/ci/cloudbuild/cloudbuild.yaml
index 7b95449eb055..00c9acf5c90d 100644
--- a/ci/cloudbuild/cloudbuild.yaml
+++ b/ci/cloudbuild/cloudbuild.yaml
@@ -64,6 +64,17 @@ availableSecrets:
   secretManager:
   - versionName: 'projects/${PROJECT_ID}/secrets/CODECOV_TOKEN/versions/latest'
     env: 'CODECOV_TOKEN'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD/versions/latest'
+    env: 'UD'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_PROJECT/versions/latest'
+    env: 'UD_PROJECT'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_REGION/versions/latest'
+    env: 'UD_REGION'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_SERVICE_ACCOUNT/versions/latest'
+    env: 'UD_SERVICE_ACCOUNT'
+  - versionName: 'projects/${PROJECT_ID}/secrets/UD_SERVICE_ACCOUNT_NAME/versions/latest'
+    env: 'UD_SERVICE_ACCOUNT_NAME'
+
 
 logsBucket: 'gs://${_LOGS_BUCKET}/logs/google-cloud-cpp/${_TRIGGER_SOURCE}/${COMMIT_SHA}/${_DISTRO}-${_BUILD_NAME}-${_SHARD}'
 
@@ -101,7 +112,7 @@ steps:
 - name: '${_POOL_REGION}-docker.pkg.dev/${PROJECT_ID}/gcb/${_IMAGE}:${BUILD_ID}'
   entrypoint: 'ci/cloudbuild/build.sh'
   args: [ '--local', '--build', '${_BUILD_NAME}' ]
-  secretEnv: ['CODECOV_TOKEN']
+  secretEnv: ['CODECOV_TOKEN', 'UD', 'UD_PROJECT', 'UD_REGION', 'UD_SERVICE_ACCOUNT', 'UD_SERVICE_ACCOUNT_NAME']
   env: [
     'BAZEL_REMOTE_CACHE=https://storage.googleapis.com/${_CACHE_BUCKET}/bazel-cache/${_DISTRO}-${_BUILD_NAME}',
     'LIBRARIES=${_LIBRARIES}',
diff --git a/ci/cloudbuild/triggers/universe-domain-demo-ci.yaml b/ci/cloudbuild/triggers/universe-domain-demo-ci.yaml
new file mode 100644
index 000000000000..f669e2509dd1
--- /dev/null
+++ b/ci/cloudbuild/triggers/universe-domain-demo-ci.yaml
@@ -0,0 +1,28 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+filename: ci/cloudbuild/cloudbuild.yaml
+github:
+  name: google-cloud-cpp
+  owner: googleapis
+  push:
+    branch: ^main$
+name: universe-domain-demo-ci
+substitutions:
+  _BUILD_NAME: universe-domain-demo
+  _DISTRO: fedora-latest-bazel
+  _TRIGGER_TYPE: ci
+includeBuildLogs: INCLUDE_BUILD_LOGS_WITH_STATUS
+tags:
+- ci
diff --git a/ci/cloudbuild/triggers/universe-domain-demo-pr.yaml b/ci/cloudbuild/triggers/universe-domain-demo-pr.yaml
new file mode 100644
index 000000000000..406f41a189ab
--- /dev/null
+++ b/ci/cloudbuild/triggers/universe-domain-demo-pr.yaml
@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+filename: ci/cloudbuild/cloudbuild.yaml
+github:
+  name: google-cloud-cpp
+  owner: googleapis
+  pullRequest:
+    branch: ^main$
+    commentControl: COMMENTS_ENABLED_FOR_EXTERNAL_CONTRIBUTORS_ONLY
+name: universe-domain-demo-pr
+substitutions:
+  _BUILD_NAME: universe-domain-demo
+  _DISTRO: fedora-latest-bazel
+  _TRIGGER_TYPE: pr
+includeBuildLogs: INCLUDE_BUILD_LOGS_WITH_STATUS
+tags:
+- pr
diff --git a/google/cloud/universe_domain/demo/kms.cc b/google/cloud/universe_domain/demo/kms.cc
index 499eabc036f3..0752b4650452 100644
--- a/google/cloud/universe_domain/demo/kms.cc
+++ b/google/cloud/universe_domain/demo/kms.cc
@@ -18,34 +18,47 @@
 #include "google/cloud/location.h"
 #include "google/cloud/universe_domain.h"
 #include "google/cloud/universe_domain_options.h"
+#include <fstream>
 #include <iostream>
 
 int main(int argc, char* argv[]) try {
-  if (argc != 3) {
-    std::cerr << "Usage: " << argv[0] << " project-id location-id\n";
+  if (argc != 3 && argc != 4) {
+    std::cerr << "Usage: " << argv[0]
+              << " project-id location-id [sa-key-file]\n";
     return 1;
   }
   namespace gc = ::google::cloud;
   namespace kms = ::google::cloud::kms_v1;
   auto const location = gc::Location(argv[1], argv[2]);
 
+  gc::Options options;
+  if (argc == 4) {
+    auto is = std::ifstream(argv[3]);
+    is.exceptions(std::ios::badbit);
+    auto contents = std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
+    options.set<google::cloud::UnifiedCredentialsOption>(
+        google::cloud::MakeServiceAccountCredentials(contents));
+  }
+
   // Interrogate credentials for universe_domain and add the value to returned
   // options.
-  auto options = gc::AddUniverseDomainOption(gc::ExperimentalTag{});
-  if (!options.ok()) throw std::move(options).status();
+  auto ud_options = gc::AddUniverseDomainOption(gc::ExperimentalTag{}, options);
+  if (!ud_options.ok()) throw std::move(ud_options).status();
 
   // Override retry policy to quickly exit if there's a failure.
-  options->set<kms::KeyManagementServiceRetryPolicyOption>(
+  ud_options->set<kms::KeyManagementServiceRetryPolicyOption>(
       std::make_shared<kms::KeyManagementServiceLimitedErrorCountRetryPolicy>(
           3));
 
   auto client = kms::KeyManagementServiceClient(
-      kms::MakeKeyManagementServiceConnection(*options));
+      kms::MakeKeyManagementServiceConnection(*ud_options));
 
   std::cout << "kms.ListKeyRings:\n";
   for (auto kr : client.ListKeyRings(location.FullName())) {
     if (!kr) throw std::move(kr).status();
-    std::cout << kr->DebugString() << "\n";
+    std::string name = kr->name();
+    std::cout << "short_key_name: " << name.substr(name.rfind('/') + 1) << "\n";
+    std::cout << kr->create_time().DebugString() << "\n";
   }
 
   return 0;