Service accounts with roles in multiple projects with Terraform

Google Cloud Compute Infrastructure
1

I have multiple projects in GCP. I have created a service account in Project_BA and then assign the necessary roles in both Project_BA and Project_Res to this service account. However, when I checked in the console, no roles were assigned to this service account in Project_Res. This is my terraform set up:

resource "google_service_account" "service_account" {
  project = var.project_ba
  account_id = replace(var.name, "_", "-")
  description = "Account to run the ingest function"
}
# Create a custom role in project_res
resource "google_project_iam_custom_role" "custom_role" {
  project = var.project_res
  role_id = "ba_custom_roles"
  title = "Custom Roles"
  permissions = [
    "roles/secretmanager.secretAccessor",
    "roles/secretmanager.viewer"
  ]
}

# Assign the custom role to the service account in project_ba
resource "google_project_iam_binding" "project_res_custom_role_binding" {
  project = var.project_res
  role = "projects/${var.project_res}/roles/${google_project_iam_custom_role.custom_role.role_id}"
  members = [
    "serviceAccount:${google_service_account.service_account.email}"
  ]
}

resource "google_project_iam_member" "project_ba_storage_admin" {
  project = var.project_ba
  role = "roles/storage.admin"
  member = "serviceAccount:${google_service_account.service_account.email}"
}

resource "google_project_iam_member" "project_ba_bigquery_data_editor" {
  project = var.project_ba
  role = "roles/bigquery.dataEditor"
  member = "serviceAccount:${google_service_account.service_account.email}"
}

resource "google_project_iam_member" "project_ba_composer_admin" {
  project = var.project_ba
  role = "roles/composer.admin"
  member = "serviceAccount:${google_service_account.service_account.email}"
}
2

Hi @busuu ,

Welcome to Google Cloud Community!

The setup seems to be correct. Just a few points you might want to check to ensure everything is working as intended.

  1. Ensure google_project_iam_custom_role resource is created before binding it to the service account in the other project.
  2. Make sure that the format for the service account’s email is correct.
  3. Check if the account you are using to run Terraform has the appropriate IAM permissions.

I hope the above information is helpful.