diff --git a/cli/cmd/bootstrap_gcp.go b/cli/cmd/bootstrap_gcp.go
index f522419a..66bc5223 100644
--- a/cli/cmd/bootstrap_gcp.go
+++ b/cli/cmd/bootstrap_gcp.go
@@ -89,11 +89,16 @@ func AddBootstrapGcpCmd(parent *cobra.Command, opts *GlobalOptions) {
 	flags.StringArrayVar(&bootstrapGcpCmd.CodesphereEnv.Experiments, "experiments", gcp.DefaultExperiments, "Experiments to enable in Codesphere installation (optional)")
 	flags.StringArrayVar(&bootstrapGcpCmd.CodesphereEnv.FeatureFlags, "feature-flags", []string{}, "Feature flags to enable in Codesphere installation (optional)")
 
+	// OpenBao
 	flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoURI, "openbao-uri", "", "URI for OpenBao (optional)")
 	flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoEngine, "openbao-engine", "cs-secrets-engine", "OpenBao engine name (default: cs-secrets-engine)")
 	flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoUser, "openbao-user", "admin", "OpenBao username (optional)")
 	flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoPassword, "openbao-password", "", "OpenBao password (optional)")
 
+	// Cleanup
+	flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.CleanupSaName, "cleanup-sa-name", "oms-infra-github-actions", "Name of the service account responsible for automatic cleanup in GHA (default: gcp-bootstrap-cleanup-sa)")
+	flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.CleanupSaProjecID, "cleanup-sa-project-id", "oms-infra", "GCP ProjectID of the service account responsible for automatic cleanup in GHA (default: oms-infra)")
+
 	util.MarkFlagRequired(bootstrapGcpCmd.cmd, "project-name")
 	util.MarkFlagRequired(bootstrapGcpCmd.cmd, "billing-account")
 	util.MarkFlagRequired(bootstrapGcpCmd.cmd, "base-domain")
diff --git a/docs/oms_beta_bootstrap-gcp.md b/docs/oms_beta_bootstrap-gcp.md
index 93003eb1..efe5c43e 100644
--- a/docs/oms_beta_bootstrap-gcp.md
+++ b/docs/oms_beta_bootstrap-gcp.md
@@ -19,6 +19,8 @@ oms beta bootstrap-gcp [flags]
 ```
       --base-domain string                Base domain for Codesphere (required)
       --billing-account string            GCP Billing Account ID (required)
+      --cleanup-sa-name string            Name of the service account responsible for automatic cleanup in GHA (default: gcp-bootstrap-cleanup-sa) (default "oms-infra-github-actions")
+      --cleanup-sa-project-id string      GCP ProjectID of the service account responsible for automatic cleanup in GHA (default: oms-infra) (default "oms-infra")
       --custom-pg-ip string               Custom PostgreSQL IP (optional)
       --datacenter-id int                 Datacenter ID (default: 1) (default 1)
       --dns-project-id string             GCP Project ID for Cloud DNS (optional)
diff --git a/internal/bootstrap/gcp/gcp.go b/internal/bootstrap/gcp/gcp.go
index 11a2ba5e..dce4825d 100644
--- a/internal/bootstrap/gcp/gcp.go
+++ b/internal/bootstrap/gcp/gcp.go
@@ -177,6 +177,10 @@ type CodesphereEnvironment struct {
 	Region                string `json:"region"`
 	Zone                  string `json:"zone"`
 	DNSZoneName           string `json:"dns_zone_name"`
+
+	// Cleanup
+	CleanupSaName     string `json:"cleanup_sa_email"`
+	CleanupSaProjecID string `json:"cleanup_sa_project_id"`
 }
 
 func NewGCPBootstrapper(
@@ -600,6 +604,15 @@ func (b *GCPBootstrapper) EnsureIAMRoles() error {
 	}
 
 	err = b.ensureIAMRoleWithRetry(b.Env.ProjectID, "artifact-registry-writer", b.Env.ProjectID, []string{"roles/artifactregistry.writer"})
+	if err != nil {
+		return nil
+	}
+
+	err = b.GCPClient.AssignIAMRole(b.Env.ProjectID, b.Env.CleanupSaName, b.Env.CleanupSaProjecID, []string{"roles/resourcemanager.projectDeleter"})
+	if err != nil {
+		return err
+	}
+
 	return err
 }