1

So I have a Google Cloud Service Account one sa-1@myproject.iam.gserviceaccount.com that has access to roles A and B.

There is Service Account two sa-2@myproject.iam.gserviceaccount.com which I need to have access to roles A, B, and C.

How do I get sa-2 to have the same access as sa-1 and some other access too?

I tried to add sa-2 as a principal to sa-1 with the Service Account Admin role.

  1. IAM & Admin
  2. Service Accounts
  3. Select sa-1
  4. "+ Grant Access"
  5. Specify sa-2 in dropdown for New principals
  6. Click "Save"

But there is still access denied on the GCP service using the sa-2 account.

I'm trying to get an inherited relationship between the two SAs.

engineer-x
  • 111

1 Answers1

1

In order to grant a Google Cloud Service Account the same permissions as Service Account1, you will need to grant Service Account2 the roles/iam.serviceAccountUser role on the Service Account1. This will allow Service Account 2 to inherit the roles granted to Service Account 1, and you can then grant additional roles to Service Account 2 to give it additional access. You can do this by going to the IAM page in the Google Cloud Console and setting the role to Service Account User for Service Account 2..

For more information follow this doc.

Sai Chandra Gadde
  • 232
  • 1
  • 7