diff --git a/fast/stages/03-gke-multitenant/prod/gke-clusters.tf b/fast/stages/03-gke-multitenant/prod/gke-clusters.tf
index 2adac67f..89ad47ac 100644
--- a/fast/stages/03-gke-multitenant/prod/gke-clusters.tf
+++ b/fast/stages/03-gke-multitenant/prod/gke-clusters.tf
@@ -27,7 +27,7 @@ module "gke-cluster" {
   source                   = "../../../../modules/gke-cluster"
   for_each                 = local.clusters
   name                     = each.key
-  project_id               = each.value.project_id
+  project_id               = module.gke-project-0.project_id
   description              = each.value.description
   location                 = each.value.location
   network                  = each.value.net.vpc
@@ -114,7 +114,4 @@ module "gke-cluster" {
   #   }
   # }
 
-  depends_on = [
-    google_project_iam_member.host_project_bindings
-  ]
 }
diff --git a/fast/stages/03-gke-multitenant/prod/main.tf b/fast/stages/03-gke-multitenant/prod/main.tf
index 479c4e34..1f7f3e13 100644
--- a/fast/stages/03-gke-multitenant/prod/main.tf
+++ b/fast/stages/03-gke-multitenant/prod/main.tf
@@ -19,11 +19,6 @@ locals {
 
   _gke_robot_sa      = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}"
   _cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}"
-  host_project_bindings = [
-    { role = "roles/container.hostServiceAgentUser", member = local._gke_robot_sa },
-    { role = "roles/compute.networkUser", member = local._gke_robot_sa },
-    { role = "roles/compute.networkUser", member = local._cloud_services_sa }
-  ]
 }
 
 module "gke-project-0" {
@@ -50,9 +45,17 @@ module "gke-project-0" {
   shared_vpc_service_config = {
     attach       = true
     host_project = var.vpc_host_project
+    service_identity_iam = {
+      "roles/compute.networkUser" = [
+        "cloudservices", "container-engine"
+      ]
+      "roles/container.hostServiceAgentUser" = [
+        "container-engine"
+      ]
+    }
   }
-  # specify project-level org policies here if you need them
 
+  # specify project-level org policies here if you need them
   # policy_boolean = {
   #   "constraints/compute.disableGuestAttributesAccess" = true
   # }
@@ -72,10 +75,3 @@ module "gke-dataset-resource-usage" {
   id            = "resource_usage"
   friendly_name = "GKE resource usage."
 }
-
-resource "google_project_iam_member" "host_project_bindings" {
-  for_each = { for i, v in local.host_project_bindings : i => v }
-  project  = var.vpc_host_project
-  role     = each.value.role
-  member   = each.value.member
-}
diff --git a/fast/stages/03-gke-multitenant/prod/variables.tf b/fast/stages/03-gke-multitenant/prod/variables.tf
index 55e7276d..425eaf85 100644
--- a/fast/stages/03-gke-multitenant/prod/variables.tf
+++ b/fast/stages/03-gke-multitenant/prod/variables.tf
@@ -68,7 +68,6 @@ variable "clusters" {
       memory_min = number
       memory_max = number
     })
-    project_id = string
     description = string
     dns_domain  = string
     labels      = map(string)
@@ -138,8 +137,8 @@ variable "nodepool_defaults" {
 variable "nodepools" {
   description = ""
   type = map(map(object({
-    node_count = number
-    node_type  = string
+    node_count         = number
+    node_type          = string
     initial_node_count = number
     overrides = object({
       image_type        = string
@@ -161,4 +160,4 @@ variable "vpc_host_project" {
   # tfdoc:variable:source 02-networking
   description = "Host project for the shared VPC."
   type        = string
-}
\ No newline at end of file
+}