diff --git a/porch/controllers/config/rbac/role.yaml b/porch/controllers/config/rbac/role.yaml
index 920baf25aa..bce7b19b3a 100644
--- a/porch/controllers/config/rbac/role.yaml
+++ b/porch/controllers/config/rbac/role.yaml
@@ -26,6 +26,14 @@ rules:
   verbs:
   - create
   - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - config.porch.kpt.dev
   resources:
@@ -116,3 +124,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - iam.cnrm.cloud.google.com
+  resources:
+  - iampolicymembers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go b/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go
index 07f50f837e..0935d49e6c 100644
--- a/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go
+++ b/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go
@@ -44,6 +44,12 @@ type WorkloadIdentityBindingReconciler struct {
 //+kubebuilder:rbac:groups=config.porch.kpt.dev,resources=workloadidentitybindings/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=config.porch.kpt.dev,resources=workloadidentitybindings/finalizers,verbs=update
 
+// Needs to read namespace to get project-id annotation
+//+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
+
+// Creates iampolicymembers (using server-side-apply)
+//+kubebuilder:rbac:groups=iam.cnrm.cloud.google.com,resources=iampolicymembers,verbs=get;list;watch;create;update;patch;delete
+
 // Reconcile implements the main kubernetes reconciliation loop.
 func (r *WorkloadIdentityBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	var subject api.WorkloadIdentityBinding
@@ -121,7 +127,6 @@ func updateStatus(subject *api.WorkloadIdentityBinding, results *applyset.ApplyR
 }
 
 func (r *WorkloadIdentityBindingReconciler) applyToClusterRef(ctx context.Context, subject *api.WorkloadIdentityBinding) (*applyset.ApplyResults, error) {
-
 	ns := &corev1.Namespace{}
 	if err := r.Get(ctx, types.NamespacedName{Name: subject.GetNamespace()}, ns); err != nil {
 		return nil, fmt.Errorf("error getting namespace %q: %w", subject.GetNamespace(), err)