Setting up service accounts between two projects

0
votes

I have two GCP projects, one for continuous integration builds, and one for the team project.

com-build : contains

  • triggers on code-repository
  • docker images

service account : [email protected] with roles service-account-administrator and cloudbuild-service-account

g iam service-accounts get-iam-policy [email protected] --project=com-build

--> etag: ACAB

com-project: contains

  • templates for VM
  • VMs

service account : [email protected] with roles service-account-administrator and compute-instance-administrator

g iam service-accounts get-iam-policy [email protected] --project=com-project

--> etag: ACAB –

I setup the cloudbuild.json file to update its container on code push, like this : 

{
  "steps": [
    {
      "name": "gcr.io/cloud-builders/docker",
      "args": [
        "build",
        "-t",
        "****:latest",
        "."
      ]
    },
    {
      "name": "gcr.io/cloud-builders/docker",
      "args": [
        "push",
        "***:latest"
      ]
    },
    {
      "name": "gcr.io/cloud-builders/gcloud",
      "args": [
        "compute",
        "instances",
        "update-container",
        "***",
        "--project=com-project",
        "--zone=somewhere"
      ]
    }
  ]
}

I get the following error :

ERROR: (gcloud.compute.instances.update-container) The user does not have access to service account '[email protected]'. User: '[email protected]'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account

But both service-accounts have the role (I checked 20 times on iam settings) am I missing something ?

1
google-cloud-platformservice-accounts
@bhito - That is not correct. Project Editor / Owner is NOT required to access resources across projects.John Hanley
Please edit your question and post the actual roles that are assigned using the gcloud command (and the commands that you used).John Hanley
@JohnHanley thanks for pointing it out, I got confused. This question has an answer to the similar question you have.bhito
Neither service account have any IAM members assigned with permissions. When add permissions(roles) you can add them to the project or directly on the service account. You need the latter. You need to add roles/iam.serviceAccountUser to the service account. cloud.google.com/iam/docs/…John Hanley
Seems like [email protected] service account misses the permission to update the container image. At IAM & admin > Roles search for compute.images.update (possibly the permission to execute update-container) to choose one of the available Roles that has this permissionmanasouza

1 Answers

0
votes

Found my problem :
[email protected] had to have access to Editor's role, in order to edit ressources in the other project

rights must be Editor and service account admin