This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Is it possible to set the Service account permission setting in Cloud Build across all users?

Posted on 07-18-2024 04:49 PM
user19283045
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi,

I found that the service account permission setting in Cloud Build is working as a personal setting, not a shared setting across all organisation users in the same project. Is there any possible way to set up a custom service account to a default service account for Cloud Build Trigger rather than setting the preferred service account by each user?

I appreciate your time. Thank you.

From user 1From user 1From user 2From user 2

 

1 2 170
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

Hello @user19283045  ,Welcome on Google Cloud Community.

You could create SA under shared project ( or any kind of project ). Then assign permissions on folder or organization level. At the end, you will be able to specify service account. 

1. I've created SA community-sa-cloud-build@XXXXX on project webapp. 
2. I've assigned this SA at the PROD folder level, where I have few projects ( typical Organization structure). I've assigned Cloud Build Service Agent. So, each project under mentioned folder will inherit predefined role. 
3. Then, I've created Cloud Build Trigger and was able to use following SA. BUt what I had to do, was click on "SWITCH PROJECT" and pick project where my SA was created. Of course you have to assign proper permissions like Folder viewer or Project Viewer and so on, but basically you should be able to create one-shared SA for all Cloud Builds. 

DamianS_1-1721363977967.png

DamianS_2-1721364011418.png

 

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

0 Likes

Posted on --/--/---- --:-- AM
AaryanCodes
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello, User, this is the answer that has worked for me in the past:

ou can create a Service Account (SA) under a shared project or any other type of project. After that, assign permissions at the folder or organization level. Eventually, you'll be able to specify the service account.

  1. I created a service account named community-sa-cloud-build@XXXXX in the project called webapp.
  2. I assigned this service account at the PROD folder level, which contains several projects, following a typical organizational structure. I assigned the Cloud Build Service Agent role to it. This way, all projects within the specified folder will inherit the predefined role.
  3. Next, I created a Cloud Build Trigger and was able to use the service account. However, I had to click "SWITCH PROJECT" and select the project where my service account was created. It's important to assign the appropriate permissions, such as Folder Viewer or Project Viewer, but essentially, you can create a single shared service account for all Cloud Builds.
0 Likes
Top Solution Authors
View all