diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 3111cd8b0..0a1499dec 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -153,7 +153,7 @@ Tags can also be specified via a factory in a similar way to organization polici
 
 A specific set of tag values used in org-level organization policy conditions can be optionally defined in the bootstrap stage, and can be referenced here if stage service accounts need specific permissions on those.
 
-As an example, consider this tag value defined via the boostrap stage tfvars.
+As an example, consider this tag value defined via the bootstrap stage tfvars.
 
 ```tfvars
 org_policies_config = {
@@ -165,7 +165,7 @@ org_policies_config = {
 }
 ```
 
-The tag is then used in the boostrap stage to modify the behaviour of the relevant organization policy.
+The tag is then used in the bootstrap stage to modify the behaviour of the relevant organization policy.
 
 ```yaml
 storage.publicAccessPrevention:
@@ -329,8 +329,8 @@ terraform apply
 | [custom_roles](variables-fast.tf#L54) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  billing_viewer                  &#61; string&#10;  dns_zone_binder                 &#61; string&#10;  kms_key_encryption_admin        &#61; string&#10;  kms_key_viewer                  &#61; string&#10;  organization_admin_viewer       &#61; string&#10;  project_iam_viewer              &#61; string&#10;  service_project_network_admin   &#61; string&#10;  storage_viewer                  &#61; string&#10;  gcve_network_admin              &#61; optional&#40;string&#41;&#10;  gcve_network_viewer             &#61; optional&#40;string&#41;&#10;  network_firewall_policies_admin &#61; optional&#40;string&#41;&#10;  ngfw_enterprise_admin           &#61; optional&#40;string&#41;&#10;  ngfw_enterprise_viewer          &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [factories_config](variables.tf#L20) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10;  stage_2           &#61; optional&#40;string, &#34;data&#47;stage-2&#34;&#41;&#10;  stage_3           &#61; optional&#40;string, &#34;data&#47;stage-3&#34;&#41;&#10;  tags              &#61; optional&#40;string, &#34;data&#47;tags&#34;&#41;&#10;  top_level_folders &#61; optional&#40;string, &#34;data&#47;top-level-folders&#34;&#41;&#10;  context &#61; optional&#40;object&#40;&#123;&#10;    iam_principals &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    org_policies   &#61; optional&#40;map&#40;map&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    tag_keys       &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    tag_values     &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [fast_addon](variables-addons.tf#L17) | FAST addons configurations for stages 2. Keys are used as short names for the add-on resources. | <code title="map&#40;object&#40;&#123;&#10;  parent_stage &#61; string&#10;  cicd_config &#61; optional&#40;object&#40;&#123;&#10;    identity_provider &#61; string&#10;    repository &#61; object&#40;&#123;&#10;      name   &#61; string&#10;      branch &#61; optional&#40;string&#41;&#10;      type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;    &#125;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | <code title="map&#40;object&#40;&#123;&#10;  short_name &#61; optional&#40;string&#41;&#10;  cicd_config &#61; optional&#40;object&#40;&#123;&#10;    identity_provider &#61; string&#10;    repository &#61; object&#40;&#123;&#10;      name   &#61; string&#10;      branch &#61; optional&#40;string&#41;&#10;      type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;    &#125;&#41;&#10;    workflows_config &#61; optional&#40;object&#40;&#123;&#10;      extra_files &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  folder_config &#61; optional&#40;object&#40;&#123;&#10;    name               &#61; string&#10;    parent_id          &#61; optional&#40;string&#41;&#10;    create_env_folders &#61; optional&#40;bool, true&#41;&#10;    iam                &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;      inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;      reset               &#61; optional&#40;bool&#41;&#10;      rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;        allow &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        deny &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;        condition &#61; optional&#40;object&#40;&#123;&#10;          description &#61; optional&#40;string&#41;&#10;          expression  &#61; optional&#40;string&#41;&#10;          location    &#61; optional&#40;string&#41;&#10;          title       &#61; optional&#40;string&#41;&#10;        &#125;&#41;, &#123;&#125;&#41;&#10;      &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  organization_config &#61; optional&#40;object&#40;&#123;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  stage3_config &#61; optional&#40;object&#40;&#123;&#10;    iam_admin_delegated &#61; optional&#40;list&#40;object&#40;&#123;&#10;      environment &#61; string&#10;      principal   &#61; string&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    iam_viewer &#61; optional&#40;list&#40;object&#40;&#123;&#10;      environment &#61; string&#10;      principal   &#61; string&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [fast_stage_3](variables-stages.tf#L117) | FAST stages 3 configurations. | <code title="map&#40;object&#40;&#123;&#10;  short_name  &#61; optional&#40;string&#41;&#10;  environment &#61; optional&#40;string, &#34;dev&#34;&#41;&#10;  cicd_config &#61; optional&#40;object&#40;&#123;&#10;    identity_provider &#61; string&#10;    repository &#61; object&#40;&#123;&#10;      name   &#61; string&#10;      branch &#61; optional&#40;string&#41;&#10;      type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;    &#125;&#41;&#10;    workflows_config &#61; optional&#40;object&#40;&#123;&#10;      extra_files &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  folder_config &#61; optional&#40;object&#40;&#123;&#10;    name         &#61; string&#10;    parent_id    &#61; optional&#40;string&#41;&#10;    tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    iam          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;      inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;      reset               &#61; optional&#40;bool&#41;&#10;      rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;        allow &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        deny &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;        condition &#61; optional&#40;object&#40;&#123;&#10;          description &#61; optional&#40;string&#41;&#10;          expression  &#61; optional&#40;string&#41;&#10;          location    &#61; optional&#40;string&#41;&#10;          title       &#61; optional&#40;string&#41;&#10;        &#125;&#41;, &#123;&#125;&#41;&#10;      &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | <code title="map&#40;object&#40;&#123;&#10;  short_name &#61; optional&#40;string&#41;&#10;  cicd_config &#61; optional&#40;object&#40;&#123;&#10;    identity_provider &#61; string&#10;    repository &#61; object&#40;&#123;&#10;      name   &#61; string&#10;      branch &#61; optional&#40;string&#41;&#10;      type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;    &#125;&#41;&#10;    workflows_config &#61; optional&#40;object&#40;&#123;&#10;      extra_files &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  folder_config &#61; optional&#40;object&#40;&#123;&#10;    name               &#61; string&#10;    parent_id          &#61; optional&#40;string&#41;&#10;    create_env_folders &#61; optional&#40;bool, true&#41;&#10;    iam                &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;      inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;      reset               &#61; optional&#40;bool&#41;&#10;      rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;        allow &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        deny &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;        condition &#61; optional&#40;object&#40;&#123;&#10;          description &#61; optional&#40;string&#41;&#10;          expression  &#61; optional&#40;string&#41;&#10;          location    &#61; optional&#40;string&#41;&#10;          title       &#61; optional&#40;string&#41;&#10;        &#125;&#41;, &#123;&#125;&#41;&#10;      &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  organization_config &#61; optional&#40;object&#40;&#123;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  stage3_config &#61; optional&#40;object&#40;&#123;&#10;    iam_admin_delegated &#61; optional&#40;list&#40;object&#40;&#123;&#10;      environment &#61; string&#10;      principal   &#61; string&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    iam_viewer &#61; optional&#40;list&#40;object&#40;&#123;&#10;      environment &#61; string&#10;      principal   &#61; string&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [fast_stage_3](variables-stages.tf#L125) | FAST stages 3 configurations. | <code title="map&#40;object&#40;&#123;&#10;  short_name  &#61; optional&#40;string&#41;&#10;  environment &#61; optional&#40;string, &#34;dev&#34;&#41;&#10;  cicd_config &#61; optional&#40;object&#40;&#123;&#10;    identity_provider &#61; string&#10;    repository &#61; object&#40;&#123;&#10;      name   &#61; string&#10;      branch &#61; optional&#40;string&#41;&#10;      type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;    &#125;&#41;&#10;    workflows_config &#61; optional&#40;object&#40;&#123;&#10;      extra_files &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  folder_config &#61; optional&#40;object&#40;&#123;&#10;    name         &#61; string&#10;    parent_id    &#61; optional&#40;string&#41;&#10;    tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    iam          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;      inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;      reset               &#61; optional&#40;bool&#41;&#10;      rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;        allow &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        deny &#61; optional&#40;object&#40;&#123;&#10;          all    &#61; optional&#40;bool&#41;&#10;          values &#61; optional&#40;list&#40;string&#41;&#41;&#10;        &#125;&#41;&#41;&#10;        enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;        condition &#61; optional&#40;object&#40;&#123;&#10;          description &#61; optional&#40;string&#41;&#10;          expression  &#61; optional&#40;string&#41;&#10;          location    &#61; optional&#40;string&#41;&#10;          title       &#61; optional&#40;string&#41;&#10;        &#125;&#41;, &#123;&#125;&#41;&#10;      &#125;&#41;&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [groups](variables-fast.tf#L93) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-secops-admins       &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [locations](variables-fast.tf#L109) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [org_policy_tags](variables-fast.tf#L153) | Organization policy tags. | <code title="object&#40;&#123;&#10;  key_id   &#61; optional&#40;string&#41;&#10;  key_name &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  values   &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf
index 3a5af762d..97e4f7c39 100644
--- a/fast/stages/1-resman/stage-3.tf
+++ b/fast/stages/1-resman/stage-3.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -60,6 +60,16 @@ locals {
     },
     var.fast_stage_3
   )
+  _stage_3_iam = { for k, v in local._stage3 : k => {
+    "roles/logging.admin"                  = [module.stage3-sa-rw[k].iam_email]
+    "roles/owner"                          = [module.stage3-sa-rw[k].iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.stage3-sa-rw[k].iam_email]
+    "roles/resourcemanager.projectCreator" = [module.stage3-sa-rw[k].iam_email]
+    "roles/compute.xpnAdmin"               = [module.stage3-sa-rw[k].iam_email]
+    "roles/viewer"                         = [module.stage3-sa-ro[k].iam_email]
+    "roles/resourcemanager.folderViewer"   = [module.stage3-sa-ro[k].iam_email]
+    }
+  }
   # normalize attributes
   stage3 = {
     for k, v in local._stage3 : k => merge(v, {
@@ -78,7 +88,7 @@ locals {
             members = [
               for m in vv.members : contains(["ro", "rw"], m) ? "${k}-${m}" : m
             ]
-            condition = vv.condition == null ? null : {
+            condition = lookup(vv, "condition", null) == null ? null : {
               title = vv.condition.title
               expression = templatestring(vv.condition.expression, {
                 custom_roles = var.custom_roles
@@ -95,7 +105,7 @@ locals {
           kk => {
             role   = vv.role
             member = contains(["ro", "rw"], vv.member) ? "${k}-${vv.member}" : vv.member
-            condition = vv.condition == null ? null : {
+            condition = lookup(vv, "condition", null) == null ? null : {
               title = vv.condition.title
               expression = templatestring(vv.condition.expression, {
                 custom_roles = var.custom_roles
@@ -107,6 +117,10 @@ locals {
             }
           }
         }
+        iam_by_principals = {
+          for kk, vv in v.folder_config.iam_by_principals :
+          (contains(["ro", "rw"], kk) ? "${k}-${kk}" : kk) => vv
+        }
       })
     })
     if !contains(
@@ -144,17 +158,40 @@ module "stage3-folder" {
   )
   name = each.value.folder_config.name
   iam = {
-    "roles/logging.admin"                  = [module.stage3-sa-rw[each.key].iam_email]
-    "roles/owner"                          = [module.stage3-sa-rw[each.key].iam_email]
-    "roles/resourcemanager.folderAdmin"    = [module.stage3-sa-rw[each.key].iam_email]
-    "roles/resourcemanager.projectCreator" = [module.stage3-sa-rw[each.key].iam_email]
-    "roles/compute.xpnAdmin"               = [module.stage3-sa-rw[each.key].iam_email]
-    "roles/viewer"                         = [module.stage3-sa-ro[each.key].iam_email]
-    "roles/resourcemanager.folderViewer"   = [module.stage3-sa-ro[each.key].iam_email]
-
+    # merge inputs/factory bindings with static role bindings in loocal._stage_3_iam
+    for role in concat(keys(each.value.folder_config.iam), keys(local._stage_3_iam[each.key])) :
+    lookup(var.custom_roles, role, role) => [
+      for m in concat(
+        lookup(local._stage_3_iam[each.key], role, []),
+        lookup(each.value.folder_config.iam, role, [])
+      ) : lookup(local.principals_iam, m, m)
+    ]
   }
-  iam_by_principals = each.value.folder_config.iam_by_principals
-  org_policies      = each.value.folder_config.org_policies
+
+  iam_bindings = {
+    for k, v in each.value.folder_config.iam_bindings : k => merge(v, {
+      members = [
+        for m in v.members : lookup(local.principals_iam, m, m)
+      ]
+      role      = lookup(var.custom_roles, v.role, v.role)
+      condition = v.condition
+    })
+  }
+  iam_bindings_additive = {
+    for k, v in each.value.folder_config.iam_bindings_additive : k => merge(v, {
+      member    = lookup(local.principals_iam, v.member, v.member)
+      role      = lookup(var.custom_roles, v.role, v.role)
+      condition = v.condition
+    })
+  }
+  iam_by_principals = {
+    for k, v in each.value.folder_config.iam_by_principals :
+    lookup(local.principals_iam, k, k) => [
+      for r in v : lookup(var.custom_roles, r, r)
+    ]
+  }
+
+  org_policies = each.value.folder_config.org_policies
   tag_bindings = merge(
     {
       (var.tag_names.environment) = local.tag_values["${var.tag_names.environment}/${var.environments[each.value.environment].tag_name}"].id
diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf
index 74e04ae27..ef52cbbac 100644
--- a/fast/stages/1-resman/variables-stages.tf
+++ b/fast/stages/1-resman/variables-stages.tf
@@ -34,7 +34,15 @@ variable "fast_stage_2" {
       parent_id          = optional(string)
       create_env_folders = optional(bool, true)
       iam                = optional(map(list(string)), {})
-      iam_bindings       = optional(map(list(string)), {})
+      iam_bindings = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
       iam_bindings_additive = optional(map(object({
         member = string
         role   = string
@@ -136,7 +144,15 @@ variable "fast_stage_3" {
       parent_id    = optional(string)
       tag_bindings = optional(map(string), {})
       iam          = optional(map(list(string)), {})
-      iam_bindings = optional(map(list(string)), {})
+      iam_bindings = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
       iam_bindings_additive = optional(map(object({
         member = string
         role   = string