尝试在 GCP 中创建 BigQuery 数据集传输配置从项目 A 到项目 B

Question

I have a Service Account in Project A admin@proj1.iam.gserviceaccount.com this is a Project Owner Throughout my organization, so we use this to create resources in different projects using our Automation.

I am Trying to Create a Google Big query Data Transfer Config via Terraform in Project B using the Service account mentioned above from Project A . And its giving me this error

Error creating Config: googleapi: Error 400: P4 service account needs iam.serviceAccounts.getAccessToken permission. Running the following command may resolve this error: gcloud iam service-accounts add-iam-policy-binding Admin@projectA.iam.gserviceaccount.com --member='serviceAccount:service-<Project_B_ID>@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com' --role='roles/iam.serviceAccountTokenCreator'

I tried running the above in ProjectB where the data set would be created, and it gave me a error the admin@proj1.iam.gserviceaccount.com does not exist. I have not tried it(not allowed to run CLI cmd )in ProjectA plus everything is Managed via Terraform, is there a way around to resolve this without needing to run this manually.

Or any other form to resolve this issue?

FYI: This is only about resource creation, the data set and its transfer are gonna be local to project B only

Answer 1

You need to bind the user “admin@proj1.iam.gserviceaccount.com” to project B and assign the role “roles/iam.serviceAccountTokenCreator” .More information here .

You can use this example code with terminal

gcloud iam service-accounts add-iam-policy-binding Admin@projectA.iam.gserviceaccount.com --member='serviceAccount:service-<Project_B_ID>@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com' --role='roles/iam.serviceAccountTokenCreator'

Or you can use the IAM console and assign this role roles/iam.serviceAccountTokenCreator to the user admin@proj1.iam.gserviceaccount.com .