diff --git a/src/init/features/apphosting/repo.ts b/src/init/features/apphosting/repo.ts
index 3124fccf6c6..14d8142043b 100644
--- a/src/init/features/apphosting/repo.ts
+++ b/src/init/features/apphosting/repo.ts
@@ -92,7 +92,6 @@ export async function linkGitHubRepository(
 ): Promise<gcb.Repository> {
   utils.logBullet(clc.bold(`${clc.yellow("===")} Set up a GitHub connection`));
   // Fetch the sentinel Oauth connection first which is needed to create further GitHub connections.
-  await ensureSecretManagerAdminGrant(projectId);
   const oauthConn = await getOrCreateOauthConnection(projectId, location);
   const existingConns = await listAppHostingConnections(projectId);
 
@@ -174,7 +173,20 @@ async function getOrCreateOauthConnection(
   projectId: string,
   location: string,
 ): Promise<gcb.Connection> {
-  let conn = await getOrCreateConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+  let conn: gcb.Connection;
+  try {
+    conn = await gcb.getConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+  } catch (err: unknown) {
+    if ((err as any).status === 404) {
+      // Cloud build P4SA requires the secret manager admin role.
+      // This is only required when creating an Oauth connection.
+      await ensureSecretManagerAdminGrant(projectId);
+      conn = await createConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+    } else {
+      throw err;
+    }
+  }
+
   while (conn.installationState.stage === "PENDING_USER_OAUTH") {
     utils.logBullet("You must authorize the Cloud Build GitHub app.");
     utils.logBullet("Sign in to GitHub and authorize Cloud Build GitHub app:");