Re: Using service accounts across projects in GCP ...

yuvimessi · 09-02-2022 04:16 AM

I have multiple projects in my GCP.
So, for Project A I have created a service account and I am using this service account for Project B using IAM roles and creating various infrastructures.

I am creating these resources using terraform scripts.
As terraform needs service account credentials, I have generated the same key ring JSON file from the Project A and provide in the terraform variable.

The issues occurs when I am creating a Cloud Build Trigger in Project B using terraform, it says it doesn't have enough permissions to create the same, but I have provided all the necessary permissons to do so.
The weird thing what I found that, on the terraform error, it points out to the Project A instead of Project B and i.e. why I am experiencing this error.
The service account key contains project id as well as the the service account name, which in my case is Project A, and that's what creating the issue here.

So, is there any solution for the same, so either in any way I can replace the values in JSON file with the values provided in the scripts.

Need help asap.
Thanks.

ErnestoC

Can you share the full error message you are receiving when trying to provision the Cloud Build Trigger? Does it contain the missing permission(s) that block the deployment? Can you also share the Terraform template you are currently using? As a reference, does the project A service account have the Cloud Build Editor role on project B?

_brbernardo

Você pode usar aliases para contas diferentes do mesmo provedor no Terraform. É provável que um projeto esteja usando as credenciais de outro onde não há permissão.
https://developer.hashicorp.com/terraform/language/providers/configuration

Using service accounts across projects in GCP with terraform