diff --git a/gcp-py-oidc-provider-pulumi-cloud/README.md b/gcp-py-oidc-provider-pulumi-cloud/README.md
index 9bd42e583..862fd1723 100644
--- a/gcp-py-oidc-provider-pulumi-cloud/README.md
+++ b/gcp-py-oidc-provider-pulumi-cloud/README.md
@@ -53,13 +53,19 @@ Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pul
 ```bash
 $ pulumi env open myOrg/myEnvironment
 {
+  "environmentVariables": {
+    "GOOGLE_PROJECT": <your-project-id>
+  },
   "gcp": {
     "login": {
-      "accessToken": "N777Agel_gBF...",
-      "expiry": "2023-10-12T14:38:00Z",
-      "project": 842111111111,
+      "accessToken": "ya29.......",
+      "expiry": "2023-11-07T18:02:35Z",
+      "project": <your-project-id>,
       "tokenType": "Bearer"
     }
+  },
+  "pulumiConfig": {
+    "gcp:accessToken": "ya29......."
   }
 }
 ```
diff --git a/gcp-py-oidc-provider-pulumi-cloud/__main__.py b/gcp-py-oidc-provider-pulumi-cloud/__main__.py
index 14f28bf60..0786cec31 100644
--- a/gcp-py-oidc-provider-pulumi-cloud/__main__.py
+++ b/gcp-py-oidc-provider-pulumi-cloud/__main__.py
@@ -1,8 +1,14 @@
 import pulumi
-from pulumi_gcp import organizations, iam, serviceaccount
+from pulumi_gcp import organizations, iam, serviceaccount, projects
 import yaml
 import random
 
+'''
+For the purposes of this example, a random number
+will be generated and assigned to parameter values that
+require unique values. This should be removed in favor
+of providing unique naming conventions where required.
+'''
 number = random.randint(1000,9999)
 
 issuer = "https://api.pulumi.com/oidc"
@@ -45,7 +51,14 @@
     display_name="Pulumi OIDC Service Account"
 )
 
-# Create an IAM policy binding to grant the identity pool access to the service account
+# Grant the service account 'roles/editor' on the project
+editor_policy_binding = projects.IAMMember("editorIamBinding",
+    member=service_account.email.apply(lambda email: f"serviceAccount:{email}"),
+    role="roles/editor",
+    project=project_id
+)
+
+# Allow the workload identity pool to impersonate the service account
 iam_policy_binding = serviceaccount.IAMBinding("iamPolicyBinding",
     service_account_id=service_account.name,
     role="roles/iam.workloadIdentityUser",
@@ -70,6 +83,12 @@ def create_yaml_structure(args):
                         }
                     }
                 }
+            },
+            'pulumiConfig': { 
+                'gcp:accessToken': '${gcp.login.accessToken}'
+            },
+            'environmentVariables': { 
+                'GOOGLE_PROJECT': '${gcp.login.project}'
             }
         }
     }