diff --git a/internal/daemon/controller/handlers/groups/grants_test.go b/internal/daemon/controller/handlers/groups/grants_test.go
index 39c0ed00fb..831bf0b915 100644
--- a/internal/daemon/controller/handlers/groups/grants_test.go
+++ b/internal/daemon/controller/handlers/groups/grants_test.go
@@ -19,6 +19,7 @@ import (
 	"github.com/hashicorp/boundary/internal/kms"
 	"github.com/hashicorp/boundary/internal/requests"
 	"github.com/hashicorp/boundary/internal/server"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/stretchr/testify/require"
 )
 
@@ -28,6 +29,52 @@ type roleRequest struct {
 	grantScopes  []string
 }
 
+// genAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token
+// for a user which is associated with roles in the roles parameter
+// this function creates an authMethod, account, user at global scope
+func genAuthTokenCtx(t *testing.T,
+	ctx context.Context,
+	conn *db.DB,
+	wrap wrapping.Wrapper,
+	iamRepo *iam.Repository,
+	roles []roleRequest,
+) context.Context {
+	t.Helper()
+	rw := db.New(conn)
+	kmsCache := kms.TestKms(t, conn, wrap)
+
+	atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache)
+	require.NoError(t, err)
+	iamRepoFn := func() (*iam.Repository, error) {
+		return iamRepo, nil
+	}
+	atRepoFn := func() (*authtoken.Repository, error) {
+		return atRepo, nil
+	}
+
+	serversRepoFn := func() (*server.Repository, error) {
+		return server.NewRepository(ctx, rw, rw, kmsCache)
+	}
+	authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0]
+
+	acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString())
+	user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId()))
+	for _, r := range roles {
+		role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings)
+		_ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId)
+	}
+	fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId())
+	require.NoError(t, err)
+	fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())),
+		iamRepoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{
+			PublicId:    fullGrantToken.PublicId,
+			Token:       fullGrantToken.GetToken(),
+			TokenFormat: uint32(auth.AuthTokenTypeBearer),
+		})
+
+	return fullGrantAuthCtx
+}
+
 // TestGrants_ReadActions tests read actions to assert that grants are being applied properly
 //
 //	 Role - which scope the role is created in
@@ -50,24 +97,12 @@ func TestGrants_ReadActions(t *testing.T) {
 	ctx := context.Background()
 	conn, _ := db.TestSetup(t, "postgres")
 	wrap := db.TestWrapper(t)
-	kmsCache := kms.TestKms(t, conn, wrap)
-	rw := db.New(conn)
 	iamRepo := iam.TestRepo(t, conn, wrap)
 	repoFn := func() (*iam.Repository, error) {
 		return iamRepo, nil
 	}
 	s, err := groups.NewService(ctx, repoFn, 1000)
 	require.NoError(t, err)
-
-	atRepo, err := authtoken.NewRepository(ctx, rw, rw, kmsCache)
-	require.NoError(t, err)
-	atRepoFn := func() (*authtoken.Repository, error) {
-		return atRepo, nil
-	}
-	serversRepoFn := func() (*server.Repository, error) {
-		return server.NewRepository(ctx, rw, rw, kmsCache)
-	}
-
 	org1, proj1 := iam.TestScopes(t, iamRepo)
 	org2, proj2 := iam.TestScopes(t, iamRepo)
 	proj3 := iam.TestProject(t, iamRepo, org2.GetPublicId())
@@ -78,7 +113,6 @@ func TestGrants_ReadActions(t *testing.T) {
 	proj1Group := iam.TestGroup(t, conn, proj1.GetPublicId(), iam.WithDescription("proj1"), iam.WithName("proj1"))
 	proj2Group := iam.TestGroup(t, conn, proj2.GetPublicId(), iam.WithDescription("proj2"), iam.WithName("proj2"))
 	proj3Group := iam.TestGroup(t, conn, proj3.GetPublicId(), iam.WithDescription("proj3"), iam.WithName("proj3"))
-	authMethod := password.TestAuthMethods(t, conn, globals.GlobalPrefix, 1)[0]
 
 	t.Run("List", func(t *testing.T) {
 		testcases := []struct {
@@ -193,21 +227,7 @@ func TestGrants_ReadActions(t *testing.T) {
 
 		for _, tc := range testcases {
 			t.Run(tc.name, func(t *testing.T) {
-				// this creates everything required to get a token and creates context with auth token
-				acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString())
-				user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId()))
-				for _, r := range tc.rolesToCreate {
-					role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings)
-					_ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId)
-				}
-				fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId())
-				require.NoError(t, err)
-				fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())),
-					repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{
-						PublicId:    fullGrantToken.PublicId,
-						Token:       fullGrantToken.GetToken(),
-						TokenFormat: uint32(auth.AuthTokenTypeBearer),
-					})
+				fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate)
 				got, finalErr := s.ListGroups(fullGrantAuthCtx, tc.input)
 				if tc.wantErr != nil {
 					require.ErrorIs(t, finalErr, tc.wantErr)
@@ -431,7 +451,6 @@ func TestGrants_ReadActions(t *testing.T) {
 						grantScopes: []string{globals.GrantScopeThis, globals.GrantScopeChildren},
 					},
 				},
-
 				wantErr: map[string]error{
 					globalGroup.PublicId: nil,
 					org1Group.PublicId:   nil,
@@ -442,21 +461,7 @@ func TestGrants_ReadActions(t *testing.T) {
 
 		for _, tc := range testcases {
 			t.Run(tc.name, func(t *testing.T) {
-				// this creates everything required to get a token and creates context with auth token
-				acct := password.TestAccount(t, conn, authMethod.GetPublicId(), uuid.NewString())
-				user := iam.TestUser(t, iamRepo, globals.GlobalPrefix, iam.WithAccountIds(acct.GetPublicId()))
-				for _, r := range tc.rolesToCreate {
-					role := iam.TestRoleWithGrants(t, conn, r.roleScopeID, r.grantScopes, r.grantStrings)
-					_ = iam.TestUserRole(t, conn, role.PublicId, user.PublicId)
-				}
-				fullGrantToken, err := atRepo.CreateAuthToken(ctx, user, acct.GetPublicId())
-				require.NoError(t, err)
-				fullGrantAuthCtx := auth.NewVerifierContext(requests.NewRequestContext(ctx, requests.WithUserId(user.GetPublicId())),
-					repoFn, atRepoFn, serversRepoFn, kmsCache, &authpb.RequestInfo{
-						PublicId:    fullGrantToken.PublicId,
-						Token:       fullGrantToken.GetToken(),
-						TokenFormat: uint32(auth.AuthTokenTypeBearer),
-					})
+				fullGrantAuthCtx := genAuthTokenCtx(t, ctx, conn, wrap, iamRepo, tc.rolesToCreate)
 				for id, wantErr := range tc.wantErr {
 					_, err := s.GetGroup(fullGrantAuthCtx, &pbs.GetGroupRequest{
 						Id: id,