1

So I have a Google Cloud Service Account one sa-1@myproject.iam.gserviceaccount.com that has access to roles A and B.

There is Service Account two sa-2@myproject.iam.gserviceaccount.com which I need to have access to roles A, B, and C.

How do I get sa-2 to have the same access as sa-1 and some other access too?

I tried to add sa-2 as a principal to sa-1 with the Service Account Admin role.

  1. IAM & Admin
  2. Service Accounts
  3. Select sa-1
  4. "+ Grant Access"
  5. Specify sa-2 in dropdown for New principals
  6. Click "Save"

But there is still access denied on the GCP service using the sa-2 account.

I'm trying to get an inherited relationship between the two SAs.

engineer-x
  • 111
  • 2
  • If the answer was useful, please mark the answer as accepted for greater visibility for the community or upvote if the answer has some useful information. – Sai Chandra Gadde Feb 01 '23 at 11:21

1 Answers1

1

In order to grant a Google Cloud Service Account the same permissions as Service Account1, you will need to grant Service Account2 the roles/iam.serviceAccountUser role on the Service Account1. This will allow Service Account 2 to inherit the roles granted to Service Account 1, and you can then grant additional roles to Service Account 2 to give it additional access. You can do this by going to the IAM page in the Google Cloud Console and setting the role to Service Account User for Service Account 2..

For more information follow this doc.

Sai Chandra Gadde
  • 140
  • 7
  • I'm still having issues with access even after doing this. I even tried with "Editor" access between the relationship between the two SAs. I also gave Service Account User, Service Account Admin, and Service Account Key Admin for all SAs for SA2 with the same result. The reason might be due to I'm using an SA key from SA2. – engineer-x Feb 02 '23 at 09:11