diff --git a/provider/notification-gcp/README.md b/provider/notification-gcp/README.md
index 9b8c66c14ea75955424b9bf819ade2247c625798..1e8305f0b672466eadddcada1e65c6176994fbc7 100644
--- a/provider/notification-gcp/README.md
+++ b/provider/notification-gcp/README.md
@@ -88,6 +88,16 @@ Most of them are common to all hosting environments, but there are properties th
 | `APP_PROJECT` | ex `opendes` | Google Cloud Project Id | no | output of infrastructure deployment |
 | `APP_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
 
+##### service account IAM roles
+Also, the following IAM roles should be assigned to the service's Google service account (SA)
+
+| IAM role | The purpose                                                                   |
+|----------|-------------------------------------------------------------------------------|
+| Service Account Token Creator | To write yourself JWT for requesting neighbor microservices                   |
+| Pub/Sub Editor | To fetch available PubSub topics and subscriptions and be able to create them |
+
+
+
 **System Environment required to run service**
 
 | name | value | description | sensitive? | source |