Using service accounts across projects in GCP

Let’s say that you have a GCP project where you have created a service account for a Kubernetes pod or Cloud Function and you want to use that service account to operate on some resources on another project. How can you achieve this?

As of March 2020, a service account is a project-level resource, thus you can’t create a service account at a folder or organisation level.

But how can we overcome this limitation? 🤔

To illustrate how we can use a service account among projects, let’s first start with an existing service account in one of our GCP projects:

1. Navigate to IAM & Admin → Service accounts in the project you have created the service account in initially (let’s name it project A) and mark the email down, as it will be needed later on.
2. Go to the destination project, i.e. the one that we want to grant the service account, in IAM & Admin → IAM and click on “ADD” at the top
3. Use the email you noted at step 1 and grant the role of your choice (e.g. Kubernetes Engine Cluster Viewer, or a custom role if needed)
4. Voila! You have created a service account in project A and granted it permissions in another project! Steps 2 and 3 can be repeated for as many projects as you would like to grant the service account access to 🚀

This pattern can be particularly useful when you have a separate project for implementing automation or monitoring tasks that span multiple projects and need to have access to them. Following the steps above, you can grant the source project access to perform the required actions in other projects.