diff --git a/stack/__main__.py b/stack/__main__.py
index fc8eebab..2b8ba623 100644
--- a/stack/__main__.py
+++ b/stack/__main__.py
@@ -29,4 +29,6 @@
 pulumi.export("historical_run_url", cloud_function_historical_run.fxn.https_trigger_url)
 pulumi.export("ais_analysis_url", cloud_function_ais_analysis.fxn.https_trigger_url)
 pulumi.export("sns_topic_subscription", sns_subscription.sentinel1_sqs_target.arn)
-pulumi.export("api_key", pulumi.Config("cerulean-cloud").require("titiler_apikey"))
+pulumi.export(
+    "titiler_api_key", pulumi.Config("cerulean-cloud").require("titiler_apikey")
+)
diff --git a/stack/cloud_run_offset_tile.py b/stack/cloud_run_offset_tile.py
index e2eab3cc..ed4fe261 100644
--- a/stack/cloud_run_offset_tile.py
+++ b/stack/cloud_run_offset_tile.py
@@ -24,13 +24,15 @@
     ),
 )
 
-cloud_function_service_account_iam = gcp.projects.IAMMember(
-    construct_name("cloud-run-offset-tile-secretmanagerSecretAccessor"),
-    project=pulumi.Config("gcp").require("project"),
+# IAM Binding for Secret Manager access
+secret_accessor_binding = gcp.secretmanager.SecretIamMember(
+    construct_name("cloud-run-offset-tile-secret-accessor-binding"),
+    secret_id=pulumi.Config("cerulean-cloud").require("keyname"),
     role="roles/secretmanager.secretAccessor",
-    member=cloud_function_service_account.email.apply(
-        lambda email: f"serviceAccount:{email}"
+    member=pulumi.Output.concat(
+        "serviceAccount:", cloud_function_service_account.email
     ),
+    opts=pulumi.ResourceOptions(depends_on=[cloud_function_service_account]),
 )
 
 service_name = construct_name("cloud-run-offset-tiles")
diff --git a/stack/cloud_run_orchestrator.py b/stack/cloud_run_orchestrator.py
index 2f1af409..4427f11a 100644
--- a/stack/cloud_run_orchestrator.py
+++ b/stack/cloud_run_orchestrator.py
@@ -46,13 +46,15 @@
     ),
 )
 
-cloud_function_service_account_iam = gcp.projects.IAMMember(
-    construct_name("cloud-run-orchestrator-secretmanagerSecretAccessor"),
-    project=pulumi.Config("gcp").require("project"),
+# IAM Binding for Secret Manager access
+secret_accessor_binding = gcp.secretmanager.SecretIamMember(
+    construct_name("cloud-run-orchestrator-secret-accessor-binding"),
+    secret_id=pulumi.Config("cerulean-cloud").require("keyname"),
     role="roles/secretmanager.secretAccessor",
-    member=cloud_function_service_account.email.apply(
-        lambda email: f"serviceAccount:{email}"
+    member=pulumi.Output.concat(
+        "serviceAccount:", cloud_function_service_account.email
     ),
+    opts=pulumi.ResourceOptions(depends_on=[cloud_function_service_account]),
 )
 
 
diff --git a/stack/cloud_run_tipg.py b/stack/cloud_run_tipg.py
index 00933bc1..19479f85 100644
--- a/stack/cloud_run_tipg.py
+++ b/stack/cloud_run_tipg.py
@@ -27,13 +27,15 @@
     ),
 )
 
-cloud_function_service_account_iam = gcp.projects.IAMMember(
-    construct_name("cloud-run-tipg-secretmanagerSecretAccessor"),
-    project=pulumi.Config("gcp").require("project"),
+# IAM Binding for Secret Manager access
+secret_accessor_binding = gcp.secretmanager.SecretIamMember(
+    construct_name("cloud-run-tipg-secret-accessor-binding"),
+    secret_id=pulumi.Config("cerulean-cloud").require("keyname"),
     role="roles/secretmanager.secretAccessor",
-    member=cloud_function_service_account.email.apply(
-        lambda email: f"serviceAccount:{email}"
+    member=pulumi.Output.concat(
+        "serviceAccount:", cloud_function_service_account.email
     ),
+    opts=pulumi.ResourceOptions(depends_on=[cloud_function_service_account]),
 )
 
 service_name = construct_name("cloud-run-tipg")