diff --git a/blueprints/data-solutions/bq-ml/README.md b/blueprints/data-solutions/bq-ml/README.md
index ddc82891f..205c0d617 100644
--- a/blueprints/data-solutions/bq-ml/README.md
+++ b/blueprints/data-solutions/bq-ml/README.md
@@ -97,5 +97,5 @@ module "test" {
   prefix     = "prefix"
 }
 
-# tftest modules=9 resources=74
+# tftest modules=9 resources=75
 ```
diff --git a/blueprints/data-solutions/data-playground/README.md b/blueprints/data-solutions/data-playground/README.md
index 70c0c95f7..35a4c2fed 100644
--- a/blueprints/data-solutions/data-playground/README.md
+++ b/blueprints/data-solutions/data-playground/README.md
@@ -84,5 +84,5 @@ module "test" {
     parent             = "folders/467898377"
   }
 }
-# tftest modules=8 resources=73
+# tftest modules=8 resources=74
 ```
diff --git a/blueprints/data-solutions/vertex-mlops/README.md b/blueprints/data-solutions/vertex-mlops/README.md
index d2c77e5a7..a45abb830 100644
--- a/blueprints/data-solutions/vertex-mlops/README.md
+++ b/blueprints/data-solutions/vertex-mlops/README.md
@@ -72,7 +72,7 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=11 resources=92
+# tftest modules=11 resources=93
 ```
 <!-- BEGIN TFDOC -->
 ## Variables
@@ -128,5 +128,5 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=13 resources=97 e2e
+# tftest modules=13 resources=98 e2e
 ```
diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml
index f024a58f5..08967a456 100644
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -72,7 +72,7 @@
   display_name: API Hub Service Account
   api: apihub.googleapis.com
   identity: service-${project_number}@gcp-sa-apihub.${universe_domain}iam.gserviceaccount.com
-  role: null
+  role: roles/apihub.runtimeProjectServiceAgent
   is_primary: true
   aliases: []
 - name: apikeys
@@ -329,6 +329,13 @@
   is_primary: false
   aliases:
   - bq
+- name: biglakerestcatalog
+  display_name: BigLake Iceberg Rest Catalog API Service Agent
+  api: biglake.googleapis.com
+  identity: blirc-${project_number}-IDENTIFIER@gcp-sa-biglakerestcatalog.${universe_domain}iam.gserviceaccount.com
+  role: null
+  is_primary: false
+  aliases: []
 - name: bigqueryconnection
   display_name: BigQuery Connection Service Agent
   api: bigqueryconnection.googleapis.com
@@ -632,6 +639,13 @@
   role: null
   is_primary: true
   aliases: []
+- name: observability
+  display_name: Cloud Observability Service Account
+  api: observability.googleapis.com
+  identity: service-${project_number}@gcp-sa-observability.${universe_domain}iam.gserviceaccount.com
+  role: null
+  is_primary: true
+  aliases: []
 - name: cloudoptim
   display_name: Cloud Optimization Service Agent
   api: cloudoptimization.googleapis.com
@@ -737,6 +751,13 @@
   role: roles/workflows.serviceAgent
   is_primary: true
   aliases: []
+- name: workstations
+  display_name: Cloud Workstations Service Agent
+  api: workstations.googleapis.com
+  identity: service-${project_number}@gcp-sa-workstations.${universe_domain}iam.gserviceaccount.com
+  role: roles/workstations.serviceAgent
+  is_primary: true
+  aliases: []
 - name: compute-system
   display_name: Compute Engine Service Agent
   api: compute.googleapis.com
@@ -896,7 +917,7 @@
   display_name: Developer Connect Service Account
   api: developerconnect.googleapis.com
   identity: service-${project_number}@gcp-sa-devconnect.${universe_domain}iam.gserviceaccount.com
-  role: null
+  role: roles/developerconnect.serviceAgent
   is_primary: true
   aliases: []
 - name: dialogflow-cmek
@@ -976,6 +997,13 @@
   role: null
   is_primary: true
   aliases: []
+- name: firebasevertexai
+  display_name: Firebase AI Logic Service Account
+  api: firebasevertexai.googleapis.com
+  identity: service-${project_number}@gcp-sa-firebasevertexai.${universe_domain}iam.gserviceaccount.com
+  role: roles/firebaseml.serviceAgent
+  is_primary: true
+  aliases: []
 - name: firebaseappcheck
   display_name: Firebase App Check Service Account
   api: firebaseappcheck.googleapis.com
@@ -1094,7 +1122,7 @@
   display_name: Google Cloud Dataproc Resource Manager Node Service Agent
   api: dataprocrm.googleapis.com
   identity: service-${project_number}@gcp-sa-dataprocrmnode.${universe_domain}iam.gserviceaccount.com
-  role: roles/dataprocrm.defaultNodeServiceAgent
+  role: roles/dataprocrm.nodeServiceAgent
   is_primary: true
   aliases: []
 - name: dataproc-accounts
@@ -1208,13 +1236,6 @@
   role: null
   is_primary: false
   aliases: []
-- name: issuerswitch
-  display_name: Issuer Switch Service Account
-  api: issuerswitch.googleapis.com
-  identity: service-${project_number}@gcp-sa-issuerswitch.${universe_domain}iam.gserviceaccount.com
-  role: null
-  is_primary: true
-  aliases: []
 - name: krmapihosting
   display_name: KRM API Hosting Service Account
   api: krmapihosting.googleapis.com
@@ -1266,6 +1287,13 @@
   role: roles/looker.serviceAgent
   is_primary: true
   aliases: []
+- name: lustre
+  display_name: Lustre Service Agent
+  api: lustre.googleapis.com
+  identity: service-${project_number}@gcp-sa-lustre.${universe_domain}iam.gserviceaccount.com
+  role: null
+  is_primary: true
+  aliases: []
 - name: managedflink
   display_name: Managed Flink Service Agent
   api: managedflink.googleapis.com
@@ -1372,6 +1400,13 @@
   role: roles/parallelstore.serviceAgent
   is_primary: true
   aliases: []
+- name: pm
+  display_name: Parameter Manager Service Account
+  api: parametermanager.googleapis.com
+  identity: service-${project_number}@gcp-sa-pm.${universe_domain}iam.gserviceaccount.com
+  role: null
+  is_primary: true
+  aliases: []
 - name: privateca
   display_name: Private CA Service Account
   api: privateca.googleapis.com
@@ -1428,6 +1463,13 @@
   role: roles/retail.serviceAgent
   is_primary: true
   aliases: []
+- name: saasservicemgmt
+  display_name: SaaS Service Management Service Account
+  api: saasservicemgmt.googleapis.com
+  identity: service-${project_number}@gcp-sa-saasservicemgmt.${universe_domain}iam.gserviceaccount.com
+  role: roles/saasservicemgmt.serviceAgent
+  is_primary: true
+  aliases: []
 - name: secretmanager
   display_name: Secret Manager Service Account
   api: secretmanager.googleapis.com
@@ -1589,6 +1631,20 @@
   role: roles/aiplatform.extensionCustomCodeServiceAgent
   is_primary: false
   aliases: []
+- name: vertex-logging
+  display_name: Vertex AI Logging Service Agent
+  api: aiplatform.googleapis.com
+  identity: service-${project_number}@gcp-sa-vertex-logging.${universe_domain}iam.gserviceaccount.com
+  role: null
+  is_primary: false
+  aliases: []
+- name: vertex-moss-ft
+  display_name: Vertex AI Managed OSS Fine Tuning Service Agent
+  api: aiplatform.googleapis.com
+  identity: service-${project_number}@gcp-sa-vertex-moss-ft.${universe_domain}iam.gserviceaccount.com
+  role: roles/aiplatform.tuningServiceAgent
+  is_primary: false
+  aliases: []
 - name: vertex-mm
   display_name: Vertex AI Model Monitoring Service Agent
   api: aiplatform.googleapis.com
@@ -1617,13 +1673,6 @@
   role: roles/aiplatform.tuningServiceAgent
   is_primary: false
   aliases: []
-- name: firebasevertexai
-  display_name: Vertex AI in Firebase Service Account
-  api: firebasevertexai.googleapis.com
-  identity: service-${project_number}@gcp-sa-firebasevertexai.${universe_domain}iam.gserviceaccount.com
-  role: roles/firebaseml.serviceAgent
-  is_primary: true
-  aliases: []
 - name: vertex-agent
   display_name: Vertex Agent Service Agent
   api: aiplatform.googleapis.com
@@ -1659,13 +1708,6 @@
   role: roles/workloadmanager.serviceAgent
   is_primary: true
   aliases: []
-- name: workstations
-  display_name: Workstations Service Account
-  api: workstations.googleapis.com
-  identity: service-${project_number}@gcp-sa-workstations.${universe_domain}iam.gserviceaccount.com
-  role: roles/workstations.serviceAgent
-  is_primary: true
-  aliases: []
 - name: workstationsvm
   display_name: Workstations VM Default Service Account
   api: workstations.googleapis.com