In Google Cloud Platform (GCP) it is common to have multiple projects for different environments (like
prod-team1, etc.). It is also a common use-case to have one set of credentials (service account) to access multiple accounts, For example:
- Auditing: one service account with read-only access to all projects
- Multi-project access/communication: one service in one project might need access/communicate to other services in different projects.
In this tutorial we will show you how to create one service account in GCP that can access multiple projects either under the same organization/account or even completely different accounts (for AWS users this is the GCP's assume role equivalent).
How do you set up a Service Account in GCP?
Assuming you’ve got your project setup (we are going to use Project A & Project B to test all this), you’ll want to navigate to Project A and then do the following steps:
IAM & Adminmenu select
+ CREATE SERVICE ACCOUNT
Fill in the Service Accounts details, as it’s going to be used cross-projects make sure it’s clearly defined as such (you will be using the
Service account IDlater). Then select
CREATE AND CONTINUE
Now apply the permissions you want this Service Account to have, I’m using the
Viewerpermission, you can also add any conditions to the permissions
Once you have applied all your desired permissions to the Service Account select
If you’d like to grant specific users access to this Service Account (for modification or to see what it’s doing) you can add those users here
After adding any users you wish to grant access, select
DONEand you should be sent to a screen with the Service Account and it’s status etc
How does do we grant it access to other projects?
Once we have a working Service Account, we now have to go through a slightly different process to add it to other projects.
Firstly, using the project navigation in the top menu select your second project. In my case this is Project B
Like before we need to select
IAM & Adminfrom the menu, be this time we select
Once here simply select
From this new menu, you will need to use the
Service account IDfrom the previous flow of creating the Service Account
And add the role you want to have assigned to the Service Account within this Project, I’m going with
After applying all the roles and permissions the Service Account needs, click
After the policy has updated, you’ll be able to see your user in the IAM list
And that’s it, your Service Account created in Project A now has access to both Project A and Project B, enjoy.