diff --git a/gcp/modules/fulcio/service_accounts.tf b/gcp/modules/fulcio/service_accounts.tf
index 8dd7d54..b308cd1 100644
--- a/gcp/modules/fulcio/service_accounts.tf
+++ b/gcp/modules/fulcio/service_accounts.tf
@@ -47,4 +47,12 @@ resource "google_project_iam_member" "fulcio_kms_viewer_member" {
   role       = "roles/cloudkms.viewer"
   member     = "serviceAccount:${google_service_account.fulcio-sa.email}"
   depends_on = [google_service_account.fulcio-sa]
-}
\ No newline at end of file
+}
+
+// Decrypt encrypted Tink keyset to get signing key
+resource "google_project_iam_member" "fulcio_kms_decrypter_member" {
+  project    = var.project_id
+  role       = "roles/cloudkms.cryptoKeyDecrypter"
+  member     = "serviceAccount:${google_service_account.fulcio-sa.email}"
+  depends_on = [google_service_account.fulcio-sa]
+}