Cross project management using service account
I need a service account that can access multiple projects, but I have not been able to find a way to do this at all. It seems that a service account is always bound to a project.
Another option is to create a service account on the separate projects and then authenticate them using gcloud auth activate-service-account --key-file SOME_FILE.json
, but the problem here is that it does not seem possible to automate the creation of service accounts.
So the question is then: Is it possible to create a cross project service account or to automate the creation of a service accounts? Even better would be if I could do both
Solution 1:
You should be able to add a service account to another project:
Create the first service account in project A in the Cloud Console. Activate it using
gcloud auth activate-service-account
.In the Cloud Console, navigate to project B. Find the "IAM & admin" > "IAM" page. Click the "Add" button. In the "New members" field paste the name of the service account (it should look like a strange email address) and give it the appropriate role.
Run
gcloud
commands with--project
set to project B. They should succeed (I just manually verified that this will work).
Automatic creation of service accounts is something that we're hesitant to do until we can work through all of the security ramifications.
Solution 2:
I know its a bit old, but if anyone is still looking for this,To add to @Zachary Newman answer, To make things clear, After you created a service account in project A you should go to project B to "IAM" (not "Service Accounts"), There you will be able to add the email you just created with proper roles.
Solution 3:
I have confirmed that custom token signing worked with @Zachary Newman's procedure.
My concrete procedure of how I created a custom token in a GAE app in project A which can be used to connect to Firestore of project B is as follows:
- In "IAM" page of project B, add service account
{project-a}@appspot.gserviceaccount.com
which is a GAE default service account of project A. - In "IAM" page of project B, assign "Service Account Token Creator" role to
{project-a}@appspot.gserviceaccount.com
. - Call the Firebase Admin SDK
initializeApp
method in a GAE app in project A with specifyingfirebase-adminsdk-xxxxx@{project-b}.iam.gserviceaccount.com
, which is a service account with "Firebase Admin SDK Administrator Service Agent" in project B, asserviceAccountId
andhttps://{project-b}.firebaseio.com
asdatabaseURL
and then create a custom token.