Yes, you would need to add your service accounts to a Google Group. This is the standard way to be able to dynamically manage the permissions for your set of principals in GCP. But since this is not feasible for your case because you don’t have an enterprise organizational account, the best way for you to do this is by using secretmanager.secretAccessor with automation using Terraform or by using labels on the secrets and combining it with scripts. You might also want to consider using Google Cloud Run to automate the role assignment.

For further reference, you can check this related post.