diff --git a/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml
index dfef91eab..755fe1a18 100644
--- a/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml
+++ b/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml
@@ -31,3 +31,4 @@ includedPermissions:
   - resourcemanager.projects.get
   - resourcemanager.projects.getIamPolicy
   - resourcemanager.projects.list
+  - storage.buckets.getIamPolicy
diff --git a/fast/stages/1-resman/data/top-level-folders/teams.yaml b/fast/stages/1-resman/data/top-level-folders/teams.yaml
index 907bdd7b2..1d32de85d 100644
--- a/fast/stages/1-resman/data/top-level-folders/teams.yaml
+++ b/fast/stages/1-resman/data/top-level-folders/teams.yaml
@@ -26,7 +26,16 @@ iam_by_principals:
     - roles/viewer
     - roles/resourcemanager.folderViewer
     - roles/resourcemanager.tagViewer
-
+iam_bindings:
+  pf_viewer:
+    role: organization_admin_viewer
+    members:
+      - project-factory-ro
+    condition:
+      title: project-factory-scoped
+      description: Allow to check buckets and contact policies
+      expression: |
+        resource.matchTag('${organization.id}/${tag_names.context}', 'project-factory')
 # don't create a context tag since this uses the pf tag
 is_fast_context: false
 tag_bindings:
diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml
index 1d5d5cc4e..c128a5915 100644
--- a/tests/fast/stages/s1_resman/simple.yaml
+++ b/tests/fast/stages/s1_resman/simple.yaml
@@ -14,7 +14,7 @@
 
 counts:
   google_folder: 12
-  google_folder_iam_binding: 50
+  google_folder_iam_binding: 51
   google_org_policy_policy: 2
   google_organization_iam_member: 15
   google_project_iam_member: 13
@@ -29,7 +29,7 @@ counts:
   google_tags_tag_value: 12
   google_tags_tag_value_iam_binding: 4
   modules: 32
-  resources: 194
+  resources: 195
 
 outputs:
   cicd_repositories: