diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl
index afedce7f55..1ac8ee57e9 100644
--- a/autogen/main/outputs.tf.tmpl
+++ b/autogen/main/outputs.tf.tmpl
@@ -239,3 +239,10 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+{% if beta_cluster %}
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
+{% endif %}
diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl
index 1ab198a8b5..65689ad5ec 100644
--- a/autogen/main/sa.tf.tmpl
+++ b/autogen/main/sa.tf.tmpl
@@ -65,3 +65,19 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+{% if beta_cluster %}
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
+{% endif %}
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index e625e3d4ce..71c3214e3e 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -863,3 +863,11 @@ variable "fleet_project" {
   type = string
   default = null
 }
+{% if beta_cluster %}
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type = bool
+  default = false
+}
+{% endif %}
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index ff40b31c79..64cebf1a5e 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -99,6 +99,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -155,6 +156,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf
index f2888c0aa1..c509ef9084 100644
--- a/modules/beta-autopilot-private-cluster/outputs.tf
+++ b/modules/beta-autopilot-private-cluster/outputs.tf
@@ -193,3 +193,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf
index 6f89899bee..31943b4326 100644
--- a/modules/beta-autopilot-private-cluster/sa.tf
+++ b/modules/beta-autopilot-private-cluster/sa.tf
@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index 35325d6774..b1987188b4 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -466,3 +466,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index 198fde422e..c2e52db41b 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -90,6 +90,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -144,6 +145,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf
index 9b26f835f8..95a8aaf3fa 100644
--- a/modules/beta-autopilot-public-cluster/outputs.tf
+++ b/modules/beta-autopilot-public-cluster/outputs.tf
@@ -183,3 +183,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf
index 6f89899bee..31943b4326 100644
--- a/modules/beta-autopilot-public-cluster/sa.tf
+++ b/modules/beta-autopilot-public-cluster/sa.tf
@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index 0d3c5cdd5c..29a3db949b 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -436,3 +436,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 3e31d9d529..9293e666d5 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -212,6 +212,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -295,6 +296,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf
index 2d8e768f7c..47c8988d76 100644
--- a/modules/beta-private-cluster-update-variant/outputs.tf
+++ b/modules/beta-private-cluster-update-variant/outputs.tf
@@ -219,3 +219,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf
index 6f89899bee..31943b4326 100644
--- a/modules/beta-private-cluster-update-variant/sa.tf
+++ b/modules/beta-private-cluster-update-variant/sa.tf
@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index eeefad4291..558d1b9118 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -817,3 +817,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index b9379d4554..beef390893 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -190,6 +190,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -273,6 +274,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf
index 2d8e768f7c..47c8988d76 100644
--- a/modules/beta-private-cluster/outputs.tf
+++ b/modules/beta-private-cluster/outputs.tf
@@ -219,3 +219,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
index 6f89899bee..31943b4326 100644
--- a/modules/beta-private-cluster/sa.tf
+++ b/modules/beta-private-cluster/sa.tf
@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index eeefad4291..558d1b9118 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -817,3 +817,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index 4b30d2352a..2e9d6ff0dc 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -203,6 +203,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -284,6 +285,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf
index e388fb4406..3ca09d6f06 100644
--- a/modules/beta-public-cluster-update-variant/outputs.tf
+++ b/modules/beta-public-cluster-update-variant/outputs.tf
@@ -209,3 +209,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf
index 6f89899bee..31943b4326 100644
--- a/modules/beta-public-cluster-update-variant/sa.tf
+++ b/modules/beta-public-cluster-update-variant/sa.tf
@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index ff2f84c094..40023d59b2 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -787,3 +787,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 8c4288e7f0..209ad72749 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -181,6 +181,7 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
+| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
 | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
 | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
 | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
@@ -262,6 +263,7 @@ Then perform the following commands on the root folder:
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
 | fleet\_membership | Fleet membership (if registered) |
+| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf
index e388fb4406..3ca09d6f06 100644
--- a/modules/beta-public-cluster/outputs.tf
+++ b/modules/beta-public-cluster/outputs.tf
@@ -209,3 +209,8 @@ output "fleet_membership" {
   description = "Fleet membership (if registered)"
   value       = local.fleet_membership
 }
+
+output "fleet_project_service_agent_email" {
+  description = "Fleet project service agent email (if granted)"
+  value       = try(google_project_service_identity.fleet_project[0].email, null)
+}
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
index 6f89899bee..31943b4326 100644
--- a/modules/beta-public-cluster/sa.tf
+++ b/modules/beta-public-cluster/sa.tf
@@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
   role     = "roles/artifactregistry.reader"
   member   = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
+
+resource "google_project_service_identity" "fleet_project" {
+  count    = var.fleet_project_grant_service_agent ? 1 : 0
+  provider = google-beta
+  project  = var.fleet_project
+  service  = "gkehub.googleapis.com"
+}
+
+resource "google_project_iam_member" "service_agent" {
+  for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
+  project  = var.fleet_project
+  role     = each.value
+  member   = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
+}
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index ff2f84c094..40023d59b2 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -787,3 +787,9 @@ variable "fleet_project" {
   type        = string
   default     = null
 }
+
+variable "fleet_project_grant_service_agent" {
+  description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
+  type        = bool
+  default     = false
+}