2

I have two GCP projects, A and B, and I want to create a cluster in project B with a node pool also in project B running as a service account in project A.

I am able to create the cluster but when I try to create the node pool I get the following error:

The user does not have access to service account: gke-node@project-A.iam.gserviceaccount.com. Ask a project owner to grant you the iam.serviceAccountUser role on the service account.

I have given project B's Kubernetes Agent Service Account (service-<project-B-number>@container-engine-robot.iam.gserviceaccount.com) the iam.serviceAccountUser role in project A for gke-node@project-A.iam.gserviceaccount.com but this didn't seem to work.

Is this possible to do?

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
dippynark
  • 2,743
  • 20
  • 58
  • 2
    Have a look at https://cloud.google.com/iam/docs/impersonating-service-accounts#attaching-different-project – Gari Singh Sep 10 '21 at 08:58
  • this might be helpful also https://stackoverflow.com/questions/67165712/how-to-create-gke-using-a-service-account-in-another-project?rq=1 – dany L Sep 10 '21 at 13:01
  • It is unclear exactly what you are asking for here. Given your Google Kubernetes Engine (GKE) cluster running in Google Cloud Platform (GCP) project `B` and your service account belonging to GCP project `A`, do you want your node pool running in project `A` or project `B`? – Mike Sep 10 '21 at 23:12
  • I have clarified the question since I want also want the node pool in project B. Those links look like what I was missing! Will give it a go on Monday and report back – dippynark Sep 11 '21 at 12:04
  • 1
    @GariSingh Unfortunately the `iam.disableCrossProjectServiceAccountUsage` constraint is enabled so I cannot perform these steps, but happy to mark this as correct if created as an answer, thanks! – dippynark Sep 11 '21 at 15:52

1 Answers1

0

I post this community wiki answer to provide more visibility of the solution provided at the comment section. Feel free to change or expand.

As it was suggested by @Gari Singh you should follow the documentation. The root cause of an issue accordingly to @dippynark was that the iam.disableCrossProjectServiceAccountUsage constraint is enabled. Here you can find more details.

Serhii Rohoza
  • 4,287
  • 2
  • 16
  • 29