Hello Everyone -- I'm working on multi-project/env setup in GCP. I have one gcp project which hosts shared resources and then an additional gcp project per environment. I am representing this as 2 pulumi projects, one for the shared with a single stack and one for environments with a stack per env.
I'd like to authorize the default service accounts in environment projects to have artifactRegistry.read permission in the shared project. Reading this doc
https://cloud.google.com/iam/docs/service-agents I was under the impressions I could add the environment accounts project numbers as config to the shared project config and add them. However, after trying this, I get
service-<env project number>@serverless-robot-prod.iam.gserviceaccount.com does not exist.
. My question is, do I have to default service accounts in the environment gcp projects? If so, how do I set things up to avoid a catch 22 where the shared project cant plan because of the environments are not set up and the environments plan because the shared project is not set up? If not, what is the mistake I'm making?