diff --git a/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go b/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go
index 6fc7efec3ece8..c74c99bac75ab 100644
--- a/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go
+++ b/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -411,6 +412,12 @@ func (a ByKey) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
 func (a ByKey) Less(i, j int) bool { return a[i].Key < a[j].Key }
 
 func matches(l, r *compute.InstanceTemplate) bool {
+	normalizeServiceAccount := func(v *compute.ServiceAccount) *compute.ServiceAccount {
+		c := *v
+		c.Scopes = slices.Clone(c.Scopes)
+		sort.Strings(c.Scopes)
+		return &c
+	}
 	normalizeInstanceProperties := func(v *compute.InstanceProperties) *compute.InstanceProperties {
 		c := *v
 		if c.Metadata != nil {
@@ -419,6 +426,11 @@ func matches(l, r *compute.InstanceTemplate) bool {
 			c.Metadata.Fingerprint = ""
 			sort.Sort(ByKey(c.Metadata.Items))
 		}
+		if c.ServiceAccounts != nil {
+			for i, serviceAccount := range c.ServiceAccounts {
+				c.ServiceAccounts[i] = normalizeServiceAccount(serviceAccount)
+			}
+		}
 		// Ignore output fields
 		for _, ni := range c.NetworkInterfaces {
 			ni.Name = ""