Search code examples
google-cloud-platformgcloudservice-accounts

Access cross GCP projects with one shared service account credentials

I have two Google Cloud Platform (GCP) projects. Let's say Project A and B. I created one service account in Project A and generated a JSON key. I want to access the services of Project B using the same JSON key.

A sample JSON key is provided below.

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

Since this key contains the project id, can I can use this key to access different project?

I checked some questions on Stack Overflow like [1] and [2].

[1] - Multi-Project(Account) service account in GCP

[2] - Creating a Cross Project (or Account) Service Account in GCP Step-by-Step

Solution

  • The article1 & article2 mentioned by you can be used as a reference to access cross GCP projects with one shared service account.Also make sure to follow the below recommendation.

    As per the official documentation, to enable service accounts to be attached across projects, the following constraints in the organization policy for the project where your service accounts are located are recommended.

    Ensure that the iam.disableCrossProjectServiceAccountUsage boolean constraint is not enforced for the project. This boolean constraint controls whether you can attach a service account to a resource in another project. The constraint is enforced by default.

    Ensure that the iam.restrictCrossProjectServiceAccountLienRemoval boolean constraint is enforced for the project. This boolean constraint ensures that principals can remove the project lien only if they have the resourcemanager.projects.updateLiens permission at the organization level. If this constraint is not enforced, principals can remove the project lien.