Menu
Go to the destination project, i.e. the one that we want to grant the service account, in IAM & Admin → IAM and click on “ADD” at the top. Use the email you noted at step 1 and grant the role of your choice (e.g. Kubernetes Engine Cluster Viewer, or a custom role if needed) Voila!
A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).
Project service account is a Google Cloud Platform service account that is chosen to be used for identification of automated requests to HYCU for GCP within a Google Cloud Platform project. Such requests must be authenticated similarly to the ones that you invoke interactively through the solution's web user interface.
For example, if a principal has the Service Account User role on a service account, and the service account has the Cloud SQL Admin role ( roles/cloudsql. admin ) on the project, then the principal can impersonate the service account to create a Cloud SQL instance.
You should be able to add a service account to another project:
Create the first service account in project A in the Cloud Console. Activate it using gcloud auth activate-service-account.
In the Cloud Console, navigate to project B. Find the "IAM & admin" > "IAM" page. Click the "Add" button. In the "New members" field paste the name of the service account (it should look like a strange email address) and give it the appropriate role.
Run gcloud commands with --project set to project B. They should succeed (I just manually verified that this will work).
Automatic creation of service accounts is something that we're hesitant to do until we can work through all of the security ramifications.
I know its a bit old, but if anyone is still looking for this,To add to @Zachary Newman answer, To make things clear, After you created a service account in project A you should go to project B to "IAM" (not "Service Accounts"), There you will be able to add the email you just created with proper roles.
I have confirmed that custom token signing worked with @Zachary Newman's procedure.
My concrete procedure of how I created a custom token in a GAE app in project A which can be used to connect to Firestore of project B is as follows:
{project-a}@appspot.gserviceaccount.com which is a GAE default service account of project A.{project-a}@appspot.gserviceaccount.com.initializeApp method in a GAE app in project A with specifying firebase-adminsdk-xxxxx@{project-b}.iam.gserviceaccount.com, which is a service account with "Firebase Admin SDK Administrator Service Agent" in project B, as serviceAccountId and https://{project-b}.firebaseio.com as databaseURL and then create a custom token.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With