Hello Everyone -- I'm working on multi-project/env...
# getting-started
Hello Everyone -- I'm working on multi-project/env setup in GCP. I have one gcp project which hosts shared resources and then an additional gcp project per environment. I am representing this as 2 pulumi projects, one for the shared with a single stack and one for environments with a stack per env. I'd like to authorize the default service accounts in environment projects to have artifactRegistry.read permission in the shared project. Reading this doc https://cloud.google.com/iam/docs/service-agents I was under the impressions I could add the environment accounts project numbers as config to the shared project config and add them. However, after trying this, I get
service-<env project number>@serverless-robot-prod.iam.gserviceaccount.com does not exist.
. My question is, do I have to default service accounts in the environment gcp projects? If so, how do I set things up to avoid a catch 22 where the shared project cant plan because of the environments are not set up and the environments plan because the shared project is not set up? If not, what is the mistake I'm making?
also, If I choose to attach a specific service account per cloudrun service, how can I authorize that account without creating a catch 22?
I made some progress here. In my environment gcp projects, I didn't have cloud run enabled. So once I enabled it, the following accounts got created: project-number-compute@developer.gserviceaccount.com Which I could then authorize for artifact reads in the shared gcp project.
However, Still not sure what to do if I need to assign a specific service account to the cloud run service in the env.
Alright folks, I think I've figured this out. the gcp deploy service runs as service-<project num>@serverless-robot-prod.iam.gserviceaccount.com The service itself runs as <project num>-compute@developer.gserviceaccount.com So, to authorize deploy, you can attach the registry reader role to the service- and to lock down permissions on the service itself you can create a new restricted service account. No catch 22 or circular dependency.