diff --git a/manifests/platform/openshift-monitoring/secretstore.yaml b/manifests/platform/openshift-monitoring/secretstore.yaml
index 7943207..04858d9 100644
--- a/manifests/platform/openshift-monitoring/secretstore.yaml
+++ b/manifests/platform/openshift-monitoring/secretstore.yaml
@@ -11,7 +11,7 @@ spec:
     retryInterval: 30s
   provider:
     gcpsm:
-      projectID: okd-homelab
+      projectID: <path:projects/1086456784694/secrets/project_id#project_id>
       auth:
         workloadIdentityFederation:
           audience: //iam.googleapis.com/projects/1086456784694/locations/global/workloadIdentityPools/okd-pool/providers/okd-provider
diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf
index cb477e3..3da9e11 100644
--- a/terraform/okd/main.tf
+++ b/terraform/okd/main.tf
@@ -142,3 +142,11 @@ resource "google_secret_manager_secret_iam_member" "openshift_monitoring_secret_
     role      = "roles/secretmanager.secretAccessor"
     member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:openshift-monitoring:external-secrets"
 }
+
+# make k8s service account secretAccessor directly instead of via impersonation of google service account bc of eso limitations
+resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" {
+    project   = data.google_project.okd_homelab.project_id
+    secret_id = "quay-jennweir-pull-secret"
+    role      = "roles/secretmanager.secretAccessor"
+    member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:external-secrets"
+}
\ No newline at end of file