diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf
index 6227e5b4a..de16ede98 100644
--- a/fast/stages/0-bootstrap/organization-iam.tf
+++ b/fast/stages/0-bootstrap/organization-iam.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -188,9 +188,16 @@ locals {
       ]
     }
   }
+  # Check if boostrap_user comes from WIF
+  bootstrap_principal = var.bootstrap_user == null ? null : (
+    strcontains(var.bootstrap_user, ":")
+    ? var.bootstrap_user
+    : "user:${var.bootstrap_user}"
+  )
+
   # bootstrap user bindings
   iam_user_bootstrap_bindings = var.bootstrap_user == null ? {} : {
-    "user:${var.bootstrap_user}" = {
+    (local.bootstrap_principal) = {
       authoritative = [
         "roles/logging.admin",
         "roles/owner",
@@ -198,7 +205,6 @@ locals {
         "roles/resourcemanager.projectCreator",
         "roles/resourcemanager.tagAdmin"
       ]
-      # TODO: align additive roles with the README
       additive = (
         local.billing_mode != "org" ? [] : [
           "roles/billing.admin"