diff --git a/deploy/cloudrun/README.md b/deploy/cloudrun/README.md
index 7887e65f..b889f40a 100644
--- a/deploy/cloudrun/README.md
+++ b/deploy/cloudrun/README.md
@@ -113,6 +113,8 @@ The deployment uses **two separate service accounts** following the principle of
 
 Both are created automatically by `setup.sh`. The Pub/Sub Invoker SA is only created when `ENABLE_MARKETPLACE=true` (the default).
 
+**Impersonation:** When the Pub/Sub topic is a cross-project reference (fully-qualified `projects/.../topics/...` path), `deploy.sh` uses `--impersonate-service-account` to create the subscription as the Pub/Sub Invoker SA. This requires the deployer to have `roles/iam.serviceAccountTokenCreator` on the Pub/Sub Invoker SA. `setup.sh` grants this automatically to the active `gcloud` account. Note that IAM changes can take up to 7-10 minutes to propagate — if `deploy.sh` fails with `PERMISSION_DENIED` on impersonation right after running `setup.sh`, wait a few minutes and retry.
+
 ## Prerequisites
 
 - [Google Cloud CLI](https://cloud.google.com/sdk/docs/install) installed and authenticated
diff --git a/deploy/cloudrun/setup.sh b/deploy/cloudrun/setup.sh
index 1fa20000..b714f7f7 100755
--- a/deploy/cloudrun/setup.sh
+++ b/deploy/cloudrun/setup.sh
@@ -266,6 +266,22 @@ if [[ "$ENABLE_MARKETPLACE" == "true" ]]; then
         --project="$PROJECT_ID" \
         --quiet || true
 
+    # Grant the deployer permission to impersonate the Pub/Sub Invoker SA.
+    # Required so that deploy.sh can use --impersonate-service-account when
+    # creating push subscriptions on cross-project marketplace topics.
+    DEPLOYER_ACCOUNT=$(gcloud config get-value account 2>/dev/null)
+    if [[ -n "$DEPLOYER_ACCOUNT" ]]; then
+        log_info "Granting roles/iam.serviceAccountTokenCreator to $DEPLOYER_ACCOUNT on Pub/Sub Invoker SA..."
+        gcloud iam service-accounts add-iam-policy-binding "$PUBSUB_INVOKER_SA" \
+            --member="user:$DEPLOYER_ACCOUNT" \
+            --role="roles/iam.serviceAccountTokenCreator" \
+            --project="$PROJECT_ID" \
+            --quiet || true
+    else
+        log_warn "Could not determine deployer account. You may need to manually grant"
+        log_warn "roles/iam.serviceAccountTokenCreator on $PUBSUB_INVOKER_SA to run deploy.sh."
+    fi
+
     # Grant the Pub/Sub Invoker SA the Pub/Sub Editor role in the project.
     # Required so that deploy.sh can impersonate this SA to create a push
     # subscription attached to the marketplace topic (which is typically in a