diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh
index e994f96cd290..93f21bf0b69e 100755
--- a/infra/gcp/ensure-main-project.sh
+++ b/infra/gcp/ensure-main-project.sh
@@ -396,11 +396,36 @@ function ensure_prow_special_cases {
         return 1
     fi
     local project="${1}"
+
+    local bucket principal secret
+
     color 6 "Special case: ensuring k8s-infra-ci-robot-github-token accessible by k8s-infra-prow-build-trusted"
-    local principal secret
     principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "kubernetes-external-secrets")"
     secret=$(secret_full_name "${project}" "k8s-infra-ci-robot-github-token")
-    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor"
+    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor" 2>&1 | indent
+
+    color 6 "Special case: ensuring gs://k8s-metrics-canary exists for gs://k8s-metrics migration"
+    (
+      bucket="gs://k8s-metrics-canary"
+      owners="k8s-infra-prow-oncall@kubernetes.io"
+      local old_service_account="triage@k8s-gubernator.iam.gserviceaccount.com"
+
+      ensure_public_gcs_bucket "${project}" "${bucket}"
+      ensure_gcs_bucket_auto_deletion "${bucket}" "365" # match gs://k8s-metrics
+      # GCS admins can admin all GCS buckets
+      empower_gcs_admins "${project}" "${bucket}"
+      # bucket owners can admin this bucket
+      empower_group_to_admin_gcs_bucket "${owners}" "${bucket}"
+      # TODO(spiffxp): copy pasted to flip to ensure_removed when migrated
+      # k8s-prow-builds can write to this bucket
+      principal="serviceAccount:${old_service_account}"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
+      # k8s-infra-prow-build-trusted can write to this bucket
+      principal="serviceAccount:$(svc_acc_email "k8s-infra-prow-build-trusted" "k8s-metrics")"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
+    ) 2>&1 | indent
 }
 
 function ensure_main_project() {