diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
index 3cc484d93..1aad703cb 100644
--- a/0-bootstrap/sa.tf
+++ b/0-bootstrap/sa.tf
@@ -26,8 +26,12 @@ locals {
     "proj" = "Foundation Projects SA. Managed by Terraform.",
   }
 
+  common_roles = [
+    "roles/browser", // Required for gcloud beta terraform vet to be able to read the ancestry of folders
+  ]
+
   granular_sa_org_level_roles = {
-    "org" = [
+    "org" = distinct(concat([
       "roles/orgpolicy.policyAdmin",
       "roles/logging.configWriter",
       "roles/resourcemanager.organizationAdmin",
@@ -35,15 +39,17 @@ locals {
       "roles/resourcemanager.organizationViewer",
       "roles/accesscontextmanager.policyAdmin",
       "roles/essentialcontacts.admin",
-    ],
-    "net" = [
+    ], local.common_roles)),
+    "env" = distinct(concat([
+    ], local.common_roles)),
+    "net" = distinct(concat([
       "roles/accesscontextmanager.policyAdmin",
       "roles/compute.xpnAdmin",
-    ],
-    "proj" = [
+    ], local.common_roles)),
+    "proj" = distinct(concat([
       "roles/accesscontextmanager.policyAdmin",
-      "roles/serviceusage.serviceUsageConsumer"
-    ],
+      "roles/serviceusage.serviceUsageConsumer",
+    ], local.common_roles)),
   }
 
   granular_sa_parent_level_roles = {
diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go
index c00b68528..b6f256f6d 100644
--- a/test/integration/bootstrap/bootstrap_test.go
+++ b/test/integration/bootstrap/bootstrap_test.go
@@ -203,6 +203,7 @@ func TestBootstrap(t *testing.T) {
 					orgRoles: []string{
 						"roles/accesscontextmanager.policyAdmin",
 						"roles/serviceusage.serviceUsageConsumer",
+						"roles/browser",
 					},
 				},
 				{
@@ -210,10 +211,14 @@ func TestBootstrap(t *testing.T) {
 					orgRoles: []string{
 						"roles/accesscontextmanager.policyAdmin",
 						"roles/compute.xpnAdmin",
+						"roles/browser",
 					},
 				},
 				{
 					output: "environment_step_terraform_service_account_email",
+					orgRoles: []string{
+						"roles/browser",
+					},
 				},
 				{
 					output: "organization_step_terraform_service_account_email",
@@ -224,6 +229,7 @@ func TestBootstrap(t *testing.T) {
 						"roles/securitycenter.notificationConfigEditor",
 						"roles/resourcemanager.organizationViewer",
 						"roles/accesscontextmanager.policyAdmin",
+						"roles/browser",
 					},
 				},
 			} {