We have the use case where project A has some secrets and databases which cannot be moved to another project. We have a project B that uses the secrets and databases from project A.
Project A has a service account X that accesses the secrets and databases.
Project B has a service account Y with no permissions to the secrets and databases. The goal is for service account Y to impersonate X during a build trigger connected to pushes to github. Project B has the cloud build pipeline.
According to this :https://cloud.google.com/build/docs/cloud-build-service-account, section **User-specified service account…**You can create a custom IAM role with an impersonation permission or use pre-defined roles that allow principals to impersonate a service account.
I create a service account X and gave Y permissions to impersonate it (as checked in policy analyser) however when I try to use service account X in project B 's cloud run trigger I get
Failed to update trigger: generic::permission_denied: user does not have impersonation permission on the trigger service account specified: projects/redacted/serviceAccounts/service@project-A.com
-
What “user” is this referring to? The one using the console? the build service agent?
-
Is it possible to get a service account Y in B to impersonate service account X in project A during the build process?
According to this https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts …To use the Triggers page in the Google Cloud console, the user-specified service account and the build trigger must be in the same project.
Is there a workaround for this? Or will cross project account impersonation in cloud build be implemented in the near future?
Thanks in advance.