Unable to use Service Account from different project

igrikus · January 13, 2025, 1:23pm

I’m trying to run a Batch job in Project-A with a custom Service Account from Project-B. In both projects, my user has roles/iam.serviceAccountUser role specified. But when I submit a job (using gcloud, or Java SDK) I get an error:

PERMISSION_DENIED: caller does not have access to act as the specified service account: "my-sa@project-b.iam.gserviceaccount.com"

What I tried:

Steps from the troubleshooting guide with exact error match
All sorts of permission combinations, even including Service Agents modification

Using accounts from the same project (Project-A) does not cause any errors and the batch job runs correctly. The error occurs only when using an account from another project

mokit · January 14, 2025, 12:33am

Hi, @igrikus .

In your scenario, you’re using a single service account across both projects which is related to cross-project service account privileges. Have you already reviewed the relevant documentation (Support a cross-project service account) for this? If not, please follow the steps outlined in the instructions provided there.

Regards,
Mokit

igrikus · January 14, 2025, 12:41pm

Thank you for the tip, @mokit !
Now it works, here is what I did:

Turned off iam.disableCrossProjectServiceAccountUsage policy in the parent project
Added roles/iam.serviceAccountUser for the Batch service agent from Project-A to my Service Account from project-B

mokit · January 14, 2025, 6:47pm

Glad to hear that it resolved your issue

Topic		Replies	Views
Permission 'batch.states.report' denied Compute Infrastructure batch	1	21	April 4, 2024
Batch issues; newbie question Compute Infrastructure compute-engine	2	43	February 9, 2023
Cross project service account impersonation for service account Compute Infrastructure	2	112	January 11, 2023

Unable to use Service Account from different project

AI Suggested topics