diff --git a/environment/deployments/science-platform/cloudsql/main.tf b/environment/deployments/science-platform/cloudsql/main.tf
index 4e4404b4..8edac148 100644
--- a/environment/deployments/science-platform/cloudsql/main.tf
+++ b/environment/deployments/science-platform/cloudsql/main.tf
@@ -61,6 +61,13 @@ resource "random_password" "ssotap" {
   special = false
 }
 
+resource "random_password" "obstap" {
+  length  = 24
+  number  = true
+  upper   = true
+  special = false
+}
+
 data "google_compute_network" "network" {
   name    = var.network
   project = var.project_id
@@ -116,6 +123,11 @@ module "db_science_platform" {
       name      = "ssotap"
       charset   = "UTF8"
       collation = "en_US.UTF8"
+    },
+    {
+      name      = "obstap"
+      charset   = "UTF8"
+      collation = "en_US.UTF8"
     }
   ]
 
@@ -139,6 +151,10 @@ module "db_science_platform" {
     {
       name     = "ssotap"
       password = random_password.ssotap.result
+    },
+    {
+      name     = "obstap"
+      password = random_password.obstap.result
     }
   ]
 
@@ -187,7 +203,7 @@ module "service_accounts" {
   project_id    = var.project_id
   display_name  = "PostgreSQL client"
   description   = "Terraform-managed service account for PostgreSQL access"
-  names         = ["gafaelfawr", "nublado", "times-square", "vo-cutouts", "ssotap"]
+  names         = ["gafaelfawr", "nublado", "times-square", "vo-cutouts", "ssotap", "obstap"]
   project_roles = ["${var.project_id}=>roles/cloudsql.client"]
 }
 
@@ -243,6 +259,12 @@ resource "google_service_account_iam_member" "ssotap_sa_wi" {
   member             = "serviceAccount:${var.project_id}.svc.id.goog[ssotap/ssotap]"
 }
 
+resource "google_service_account_iam_member" "obstap_sa_wi" {
+  service_account_id = module.service_accounts.service_accounts_map["obstap"].name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[obstap/obstap]"
+}
+
 # The vo-cutouts service account must be granted the ability to generate
 # tokens for itself so that it can generate signed GCS URLs starting from
 # the GKE service account token without requiring an exported secret key
diff --git a/environment/deployments/science-platform/env/dev-cloudsql.tfvars b/environment/deployments/science-platform/env/dev-cloudsql.tfvars
index a989d997..b9cf6e67 100644
--- a/environment/deployments/science-platform/env/dev-cloudsql.tfvars
+++ b/environment/deployments/science-platform/env/dev-cloudsql.tfvars
@@ -19,4 +19,4 @@ db_maintenance_window_update_track = "canary"
 backups_enabled                    = true
 
 # Increase this number to force Terraform to update the dev environment.
-# Serial: 12
+# Serial: 13