diff --git a/fast/stages/02-networking-nva/main.tf b/fast/stages/02-networking-nva/main.tf
index c680f4442..4db5061ba 100644
--- a/fast/stages/02-networking-nva/main.tf
+++ b/fast/stages/02-networking-nva/main.tf
@@ -31,7 +31,9 @@ locals {
   stage3_sas_delegated_grants = [
     "roles/composer.sharedVpcAgent",
     "roles/compute.networkUser",
+    "roles/compute.networkViewer",
     "roles/container.hostServiceAgentUser",
+    "roles/multiclusterservicediscovery.serviceAgent",
     "roles/vpcaccess.user",
   ]
 }
diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf
index 75e17d610..225c28296 100644
--- a/fast/stages/02-networking-nva/spoke-dev.tf
+++ b/fast/stages/02-networking-nva/spoke-dev.tf
@@ -41,7 +41,8 @@ module "dev-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = compact([
-      try(local.service_accounts.project-factory-dev, null)
+      try(local.service_accounts.gke-dev, null),
+      try(local.service_accounts.project-factory-dev, null),
     ])
   }
 }
diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf
index b3d4647d6..e3fa7c8ca 100644
--- a/fast/stages/02-networking-nva/spoke-prod.tf
+++ b/fast/stages/02-networking-nva/spoke-prod.tf
@@ -41,7 +41,8 @@ module "prod-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = compact([
-      try(local.service_accounts.project-factory-prod, null)
+      try(local.service_accounts.gke-prod, null),
+      try(local.service_accounts.project-factory-prod, null),
     ])
   }
 }
diff --git a/fast/stages/02-networking-peering/main.tf b/fast/stages/02-networking-peering/main.tf
index 9e013fd17..de6264649 100644
--- a/fast/stages/02-networking-peering/main.tf
+++ b/fast/stages/02-networking-peering/main.tf
@@ -32,7 +32,9 @@ locals {
   stage3_sas_delegated_grants = [
     "roles/composer.sharedVpcAgent",
     "roles/compute.networkUser",
+    "roles/compute.networkViewer",
     "roles/container.hostServiceAgentUser",
+    "roles/multiclusterservicediscovery.serviceAgent",
     "roles/vpcaccess.user",
   ]
   service_accounts = {
diff --git a/fast/stages/02-networking-peering/spoke-dev.tf b/fast/stages/02-networking-peering/spoke-dev.tf
index c0749bf9d..f2c657280 100644
--- a/fast/stages/02-networking-peering/spoke-dev.tf
+++ b/fast/stages/02-networking-peering/spoke-dev.tf
@@ -42,7 +42,8 @@ module "dev-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = compact([
-      try(local.service_accounts.project-factory-dev, null)
+      try(local.service_accounts.gke-dev, null),
+      try(local.service_accounts.project-factory-dev, null),
     ])
   }
 }
diff --git a/fast/stages/02-networking-peering/spoke-prod.tf b/fast/stages/02-networking-peering/spoke-prod.tf
index 768a2012f..30608d3a9 100644
--- a/fast/stages/02-networking-peering/spoke-prod.tf
+++ b/fast/stages/02-networking-peering/spoke-prod.tf
@@ -42,7 +42,8 @@ module "prod-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = compact([
-      try(local.service_accounts.project-factory-prod, null)
+      try(local.service_accounts.gke-prod, null),
+      try(local.service_accounts.project-factory-prod, null),
     ])
   }
 }
diff --git a/fast/stages/02-networking-vpn/main.tf b/fast/stages/02-networking-vpn/main.tf
index 9e013fd17..de6264649 100644
--- a/fast/stages/02-networking-vpn/main.tf
+++ b/fast/stages/02-networking-vpn/main.tf
@@ -32,7 +32,9 @@ locals {
   stage3_sas_delegated_grants = [
     "roles/composer.sharedVpcAgent",
     "roles/compute.networkUser",
+    "roles/compute.networkViewer",
     "roles/container.hostServiceAgentUser",
+    "roles/multiclusterservicediscovery.serviceAgent",
     "roles/vpcaccess.user",
   ]
   service_accounts = {
diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf
index c0749bf9d..ccd75da32 100644
--- a/fast/stages/02-networking-vpn/spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/spoke-dev.tf
@@ -42,6 +42,7 @@ module "dev-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = compact([
+      try(local.service_accounts.gke-dev, null),
       try(local.service_accounts.project-factory-dev, null)
     ])
   }
diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf
index 768a2012f..70b81a15e 100644
--- a/fast/stages/02-networking-vpn/spoke-prod.tf
+++ b/fast/stages/02-networking-vpn/spoke-prod.tf
@@ -42,6 +42,7 @@ module "prod-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = compact([
+      try(local.service_accounts.gke-prod, null),
       try(local.service_accounts.project-factory-prod, null)
     ])
   }