diff --git a/src/gcloud/buckets.yaml b/src/gcloud/buckets.yaml
index ce4c3186..9b6c9ce3 100644
--- a/src/gcloud/buckets.yaml
+++ b/src/gcloud/buckets.yaml
@@ -38,6 +38,12 @@ resources:
       defaultObjectAcl:
         - entity: allUsers
           role: READER
+      accessControl:
+        gcpIamPolicy:
+          bindings:
+            - role: roles/dynamicbible_publish
+              members:
+                - "serviceAccount:$(ref.gitlab-service-account.email)"
   - name: gitlab-service-account
     type: iam.v1.serviceAccount
     properties: