Hello Everyone -- I'm working on multi-project/env...
# getting-startedc
colossal-tailor-72573
11/01/2023, 4:35 PMHello Everyone -- I'm working on multi-project/env setup in GCP. I have one gcp project which hosts shared resources and then an additional gcp project per environment. I am representing this as 2 pulumi projects, one for the shared with a single stack and one for environments with a stack per env.
I'd like to authorize the default service accounts in environment projects to have artifactRegistry.read permission in the shared project. Reading this doc https://cloud.google.com/iam/docs/service-agents I was under the impressions I could add the environment accounts project numbers as config to the shared project config and add them. However, after trying this, I get
service-<env project number>@serverless-robot-prod.iam.gserviceaccount.com does not exist.colossal-tailor-72573
11/01/2023, 4:43 PMalso, If I choose to attach a specific service account per cloudrun service, how can I authorize that account without creating a catch 22?
colossal-tailor-72573
11/01/2023, 11:13 PMI made some progress here.
In my environment gcp projects, I didn't have cloud run enabled. So once I enabled it, the following accounts got created:
project-number-compute@developer.gserviceaccount.com
Which I could then authorize for artifact reads in the shared gcp project.
colossal-tailor-72573
11/01/2023, 11:14 PMHowever, Still not sure what to do if I need to assign a specific service account to the cloud run service in the env.
colossal-tailor-72573
11/02/2023, 12:57 AMAlright folks, I think I've figured this out.
the gcp deploy service runs as service-<project num>@serverless-robot-prod.iam.gserviceaccount.com
The service itself runs as <project num>-compute@developer.gserviceaccount.com
So, to authorize deploy, you can attach the registry reader role to the service- and to lock down permissions on the service itself you can create a new restricted service account. No catch 22 or circular dependency.