GCP
Security

Creating a Cross Project (or Account) Service Account in GCP Step-by-Step

Mike Elsmore

Mike Elsmore

In Google Cloud Platform (GCP) it is common to have multiple projects for different environments (like dev, staging, prod, prod-team1, etc.). It is also a common use-case to have one set of credentials (service account) to access multiple accounts, For example:
  • Auditing: one service account with read-only access to all projects
  • Multi-project access/communication: one service in one project might need access/communicate to other services in different projects.
In this tutorial we will show you how to create one service account in GCP that can access multiple projects either under the same organization/account or even completely different accounts (for AWS users this is the GCP's assume role equivalent).

How do you set up a Service Account in GCP? #

Assuming you’ve got your project setup (we are going to use Project A & Project B to test all this), you’ll want to navigate to Project A and then do the following steps:
  1. Within the IAM & Admin menu select Service Accounts
  2. Select + CREATE SERVICE ACCOUNT
  3. Fill in the Service Accounts details, as it’s going to be used cross-projects make sure it’s clearly defined as such (you will be using the Service account ID later). Then select CREATE AND CONTINUE
  4. Now apply the permissions you want this Service Account to have, I’m using the Viewer permission, you can also add any conditions to the permissions
  5. Once you have applied all your desired permissions to the Service Account select CONTINUE
  6. If you’d like to grant specific users access to this Service Account (for modification or to see what it’s doing) you can add those users here
  7. After adding any users you wish to grant access, select DONE and you should be sent to a screen with the Service Account and it’s status etc

How do we grant it access to other projects? #

Once we have a working Service Account, we now have to go through a slightly different process to add it to other projects.
  1. Firstly, using the project navigation in the top menu select your second project. In my case this is Project B
  2. Like before we need to select IAM & Admin from the menu, be this time we select IAM
  3. Once here simply select +ADD
  4. From this new menu, you will need to use the Service account ID from the previous flow of creating the Service Account
  5. And add the role you want to have assigned to the Service Account within this Project, I’m going with Viewer again
  6. After applying all the roles and permissions the Service Account needs, click SAVE
  7. After the policy has updated, you’ll be able to see your user in the IAM list

Summary #

And that’s it, your Service Account created in Project A now has access to both Project A and Project B, enjoy.
Ready to get started with CloudQuery? You can try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform (currently in beta) for a more scalable solution.
Want help getting started? Join the CloudQuery community to connect with other users and experts, or message our team directly here if you have any questions.
Mike Elsmore

Written by Mike Elsmore

Mike Elsmore is a software developer, technologist, public speaker, and community builder based in the UK. His passion is developer outreach and education.

Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

Join our mailing list

Subscribe to our newsletter to make sure you don't miss any updates.

Legal

© 2024 CloudQuery, Inc. All rights reserved.

We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.