In Google Cloud Platform (GCP) it is common to have multiple projects either for different environments (like dev, staging, prod, prod-team1, etc...). It is also a common use-case to have one credentials (service account) to access multiple accounts, For example:
In this tutorial we will show you how to create one service account in GCP that can access multiple projects either under the same organization/account or even completely different accounts (for AWS users this is the GCP's assume role equivalent).
Assuming you’ve got your project setup (we are going to use Project A & Project B to test all this), you’ll want to navigate to Project A and then do the following steps:
IAM & Admin menu select
+ CREATE SERVICE ACCOUNT
Fill in the Service Accounts details, as it’s going to be used cross-projects make sure it’s clearly defined as such (you will be using the
Service account ID later). Then select
CREATE AND CONTINUE
Now apply the permissions you want this Service Account to have, I’m using the
Viewer permission, you can also add any conditions to the permissions
Once you have applied all your desired permissions to the Service Account select
If you’d like to grant specific users access to this Service Account (for modification or to see what it’s doing) you can add those users here
After adding any users you wish to grant access, select
DONE and you should be sent to a screen with the Service Account and it’s status etc
Once we have a working Service Account, we now have to go through a slightly different process to add it to other projects.
Firstly, using the project navigation in the top menu select your second project. In my case this is Project B
Like before we need to select
IAM & Admin from the menu, be this time we select
Once here simply select
From this new menu, you will need to use the
Service account ID from the previous flow of creating the Service Account
And add the role you want to have assigned to the Service Account within this Project, I’m going with
After applying all the roles and permissions the Service Account needs, click
After the policy has updated, you’ll be able to see your user in the IAM list
And that’s it, your Service Account created in Project A now has access to both Project A and Project B, enjoy.
Open-source, product updates, blog-posts, news and more.