diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf
index 2fbf82ef..cbb721ec 100644
--- a/fast/stages/02-networking-nva/spoke-dev.tf
+++ b/fast/stages/02-networking-nva/spoke-dev.tf
@@ -120,3 +120,18 @@ module "peering-dev" {
   local_network = module.dev-spoke-vpc.self_link
   peer_network  = module.landing-trusted-vpc.self_link
 }
+
+# Create delegated grants for stage3 service accounts
+resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
+  project = module.dev-spoke-project.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  members = values(local.service_accounts)
+  condition {
+    title       = "dev_stage3_sa_delegated_grants"
+    description = "Development host project delegated grants."
+    expression = format(
+      "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+      join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+    )
+  }
+}
diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf
index 53713032..33cbac49 100644
--- a/fast/stages/02-networking-nva/spoke-prod.tf
+++ b/fast/stages/02-networking-nva/spoke-prod.tf
@@ -120,3 +120,18 @@ module "peering-prod" {
   local_network = module.prod-spoke-vpc.self_link
   peer_network  = module.landing-trusted-vpc.self_link
 }
+
+# Create delegated grants for stage3 service accounts
+resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
+  project = module.prod-spoke-project.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  members = values(local.service_accounts)
+  condition {
+    title       = "prod_stage3_sa_delegated_grants"
+    description = "Production host project delegated grants."
+    expression = format(
+      "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+      join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+    )
+  }
+}
diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf
index 2074d29b..a1c713ad 100644
--- a/fast/stages/02-networking-vpn/spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/spoke-dev.tf
@@ -102,9 +102,7 @@ module "dev-spoke-cloudnat" {
 resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
-  members = [
-    local.service_accounts.project-factory-dev
-  ]
+  members = values(local.service_accounts)
   condition {
     title       = "dev_stage3_sa_delegated_grants"
     description = "Development host project delegated grants."
diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf
index c6985b67..ca94cacf 100644
--- a/fast/stages/02-networking-vpn/spoke-prod.tf
+++ b/fast/stages/02-networking-vpn/spoke-prod.tf
@@ -102,9 +102,7 @@ module "prod-spoke-cloudnat" {
 resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
-  members = [
-    local.service_accounts.project-factory-prod
-  ]
+  members = values(local.service_accounts)
   condition {
     title       = "prod_stage3_sa_delegated_grants"
     description = "Production host project delegated grants."