This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unable to use Service Account from different project

Posted on 01-13-2025 05:23 AM
igrikus
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm trying to run a Batch job in Project-A with a custom Service Account from Project-B. In both projects, my user has `roles/iam.serviceAccountUser` role specified. But when I submit a job (using gcloud, or Java SDK) I get an error:

PERMISSION_DENIED: caller does not have access to act as the specified service account: "my-sa@project-b.iam.gserviceaccount.com"

What I tried:

  • Steps from the troubleshooting guide with exact error match
  • All sorts of permission combinations, even including Service Agents modification

Using accounts from the same project (Project-A) does not cause any errors and the batch job runs correctly. The error occurs only when using an account from another project

Solved Solved
0 3 206
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mokit
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hi, @igrikus.

In your scenario, you're using a single service account across both projects which is related to cross-project service account privileges. Have you already reviewed the relevant documentation (Support a cross-project service account) for this? If not, please follow the steps outlined in the instructions provided there.

Regards,
Mokit

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
mokit
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hi, @igrikus.

In your scenario, you're using a single service account across both projects which is related to cross-project service account privileges. Have you already reviewed the relevant documentation (Support a cross-project service account) for this? If not, please follow the steps outlined in the instructions provided there.

Regards,
Mokit

Jump to Solution

Posted on --/--/---- --:-- AM
igrikus
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Thank you for the tip, @mokit !
Now it works, here is what I did:

1. Turned off `iam.disableCrossProjectServiceAccountUsage` policy in the parent project
2. Added `roles/iam.serviceAccountUser` for the Batch service agent from Project-A to my Service Account from project-B

Jump to Solution

Posted on --/--/---- --:-- AM
mokit
Silver 4
Silver 4
In response to igrikus
Reply posted on --/--/---- --:-- AM

Glad to hear that it resolved your issue 🎉

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all