diff --git a/gcp/modules/ca/ca.tf b/gcp/modules/ca/ca.tf
index f3d55030..cef3ac81 100644
--- a/gcp/modules/ca/ca.tf
+++ b/gcp/modules/ca/ca.tf
@@ -30,6 +30,12 @@ resource "google_project_service" "service" {
   disable_on_destroy = false
 }
 
+resource "google_privateca_ca_pool_iam_member" "fulcio_member" {
+  ca_pool = "projects/${var.project_id}/locations/${var.region}/caPools/${var.ca_pool_name}"
+  role    = "roles/privateca.certificateManager"
+  member  = "serviceAccount:${var.service_account_id}"
+}
+
 resource "google_privateca_ca_pool" "sigstore-ca-pool" {
   name = var.ca_pool_name
 
diff --git a/gcp/modules/ca/variables.tf b/gcp/modules/ca/variables.tf
index 7d8aa12e..bd9f6604 100644
--- a/gcp/modules/ca/variables.tf
+++ b/gcp/modules/ca/variables.tf
@@ -41,3 +41,7 @@ variable "ca_name" {
   default     = "sigstore-authority"
 }
 
+variable "service_account_id" {
+  description = "Service account to which to grant CA pool membership to"
+  type        = string
+}
diff --git a/gcp/modules/fulcio/fulcio.tf b/gcp/modules/fulcio/fulcio.tf
index fe7b1714..ef50abe0 100644
--- a/gcp/modules/fulcio/fulcio.tf
+++ b/gcp/modules/fulcio/fulcio.tf
@@ -25,4 +25,6 @@ module "ca" {
   project_id   = var.project_id
   ca_pool_name = var.ca_pool_name
   ca_name      = var.ca_name
+
+  service_account_id = google_service_account.fulcio-sa.email
 }
diff --git a/gcp/modules/fulcio/service_accounts.tf b/gcp/modules/fulcio/service_accounts.tf
index c6cbb714..a3bc28c8 100644
--- a/gcp/modules/fulcio/service_accounts.tf
+++ b/gcp/modules/fulcio/service_accounts.tf
@@ -28,13 +28,6 @@ resource "google_service_account_iam_member" "gke_sa_iam_member_fulcio" {
   depends_on         = [google_service_account.fulcio-sa]
 }
 
-resource "google_privateca_ca_pool_iam_member" "fulcio_member" {
-  ca_pool    = "projects/${var.project_id}/locations/${var.region}/caPools/${var.ca_pool_name}"
-  role       = "roles/privateca.certificateManager"
-  member     = "serviceAccount:${google_service_account.fulcio-sa.email}"
-  depends_on = [google_service_account.fulcio-sa]
-}
-
 resource "google_kms_key_ring_iam_member" "fulcio_kms_signer_verifier_member" {
   key_ring_id = google_kms_key_ring.fulcio-keyring.id
   role        = "roles/cloudkms.signerVerifier"