diff --git a/terraform/env/kub-ent-dev.tfvars b/terraform/env/kub-ent-dev.tfvars
index 4d522188..74f76db6 100644
--- a/terraform/env/kub-ent-dev.tfvars
+++ b/terraform/env/kub-ent-dev.tfvars
@@ -3,4 +3,5 @@ antu_netex_validation_status_queue_topic = "projects/ent-antu-dev/topics/AntuNet
 bucket_instance_suffix="dev"
 ashur_service_account="serviceAccount:application@ent-ashur-dev.iam.gserviceaccount.com"
 marduk_exchange_storage_bucket="marduk-exchange-dev"
-servicelinker_service_account="serviceAccount:application@ent-servicelnk-dev.iam.gserviceaccount.com"
\ No newline at end of file
+servicelinker_service_account="serviceAccount:application@ent-servicelnk-dev.iam.gserviceaccount.com"
+servicelinker_terraform_service_account="serviceAccount:gh-servicelinker-5cdd-dev@ent-github-shr.iam.gserviceaccount.com"
\ No newline at end of file
diff --git a/terraform/env/kub-ent-prd.tfvars b/terraform/env/kub-ent-prd.tfvars
index b7853d56..bcc0391d 100644
--- a/terraform/env/kub-ent-prd.tfvars
+++ b/terraform/env/kub-ent-prd.tfvars
@@ -5,6 +5,7 @@ bucket_instance_suffix="production"
 ashur_service_account="serviceAccount:application@ent-ashur-prd.iam.gserviceaccount.com"
 marduk_exchange_storage_bucket="marduk-exchange-production"
 servicelinker_service_account="serviceAccount:application@ent-servicelnk-prd.iam.gserviceaccount.com"
+servicelinker_terraform_service_account="serviceAccount:gh-servicelinker-5cdd-prd@ent-github-shr.iam.gserviceaccount.com"
 
 labels = {
   manager     = "terraform"
diff --git a/terraform/env/kub-ent-tst.tfvars b/terraform/env/kub-ent-tst.tfvars
index 52d9e4cd..3a7940a6 100644
--- a/terraform/env/kub-ent-tst.tfvars
+++ b/terraform/env/kub-ent-tst.tfvars
@@ -3,4 +3,5 @@ antu_netex_validation_status_queue_topic = "projects/ent-antu-tst/topics/AntuNet
 bucket_instance_suffix="test"
 ashur_service_account="serviceAccount:application@ent-ashur-tst.iam.gserviceaccount.com"
 marduk_exchange_storage_bucket="marduk-exchange-test"
-servicelinker_service_account="serviceAccount:application@ent-servicelnk-tst.iam.gserviceaccount.com"
\ No newline at end of file
+servicelinker_service_account="serviceAccount:application@ent-servicelnk-tst.iam.gserviceaccount.com"
+servicelinker_terraform_service_account="serviceAccount:gh-servicelinker-5cdd-tst@ent-github-shr.iam.gserviceaccount.com"
\ No newline at end of file
diff --git a/terraform/iam.tf b/terraform/iam.tf
index f260ba92..4e4e6376 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -24,19 +24,19 @@ resource "google_pubsub_topic_iam_member" "ServicelinkerStatusQueuePublisherRole
   member  = var.servicelinker_service_account
 }
 
-# Servicelinker's Terraform SA needs roles/pubsub.subscriber (which includes
-# pubsub.topics.attachSubscription) on these topics so it can create
-# cross-project subscriptions from ent-servicelnk-* to ent-marduk-*.
+# Servicelinker's GitHub Actions Terraform SA (via Workload Identity Federation)
+# needs roles/pubsub.subscriber (which includes pubsub.topics.attachSubscription)
+# on these topics to create cross-project subscriptions from ent-servicelnk-* to ent-marduk-*.
 resource "google_pubsub_topic_iam_member" "ServicelinkerInboundQueueSubscriberRole" {
   project = var.gcp_resources_project
   topic   = google_pubsub_topic.ServicelinkerInboundQueue.name
   role    = "roles/pubsub.subscriber"
-  member  = var.servicelinker_service_account
+  member  = var.servicelinker_terraform_service_account
 }
 
 resource "google_pubsub_topic_iam_member" "ServicelinkerStatusQueueSubscriberRole" {
   project = var.gcp_resources_project
   topic   = google_pubsub_topic.ServicelinkerStatusQueue.name
   role    = "roles/pubsub.subscriber"
-  member  = var.servicelinker_service_account
+  member  = var.servicelinker_terraform_service_account
 }
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
index eb1e1b1f..effbd5b3 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -90,6 +90,10 @@ variable "servicelinker_service_account" {
   description = "The service account of the servicelinker application"
 }
 
+variable "servicelinker_terraform_service_account" {
+  description = "The GitHub Actions Terraform SA for servicelinker (via Workload Identity Federation), needs roles/pubsub.subscriber on Servicelinker topics to create cross-project subscriptions"
+}
+
 variable "marduk_exchange_storage_bucket" {
   description = "The bucket used to exchange files with Marduk"
 }