Adding cross project service account in GCP cloud functions

Question

We have added a IAM service account from Project A to project B in GCP with Cloud function Admin permissions

We are now trying to create a cloud function in project B using the same service account .

But the service account is not listed in the drop down menu during creation of Cloud functions . Only the service accounts which are locally created are visible in the drop down menu.

Any suggestion to use cross service accounts in cloud functions ?

Answer 1

You cannot use Service Accounts from external projects as a runtime SA for a Cloud Function, this is why you don't see the service account in the dropdown menu.

When you grant permissions to the Service Account from Project A in Project B you only do that, grant permissions. Keep in mind that the SA continues being part of project A and not project B .

This works in the same way as Cloud Scheduler :

The service account must belong to the same project as the one in which the Cloud Scheduler jobs are created.

What the steps here suggest to make this possible is to impersonate a the Service Account from project A using a service account of project B but you will notice that actually you attach an account from the same project were the function is.

If you need to access to resources in project A from project B then use in your function a SA from the same project and add the needed permissions for that SA in project A or use the impersonation approach if you prefer.

Answer 2

I'm flummoxed:-(

I tried this using gcloud and am unable to get it work.

I tried granting the Cloud Functions project's Compute Engine service account roles/serviceAccountUser on the desired (remote) Service Account but I continue to get:

ERROR: (gcloud.beta.functions.deploy) PERMISSION_DENIED:
Permission 'iam.serviceaccounts.actAs' denied on service account
${ACCOUNT}@${OTHER-PROJECT}.iam.gserviceaccount.com

Perhaps the remote account need Cloud Functions deploy permissions too?

Answer 3

Yes it possible to use service account across projects to deploy Cloud Function.

Please follow below mentioned link to grant the necessary permissions.

https://cloud.google.com/functions/docs/securing/function-identity#gcloud_2

---

If the service account and the function are in different projects, from the project where the service account is located:

Configure the service account to work across projects. Grant the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to both of these Google-managed service accounts:

App Engine default service account (PROJECT_ID@appspot.gserviceaccount.com) Cloud Functions Service Agent (service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com) These Google accounts manage cross-project access for your service account.

Grant the service account access to the resource. The method for doing this depends on the resource type.

Connect the service account with your function. You can do this either at deployment time or by updating a previously deployed function.

---

Using the above guidance we are still not able to view the new SA across the projects but able to deploy the same via CLI.

Sample CLI is as below

gcloud functions deploy FUNCTION_NAME
--trigger-topic TOPIC_NAME --region REGION_NAME --runtime RUNTIME --entry-point ENTRY_POINT --service-account SERVICE_ACCOUNT_EMAIL

Please note: While deploying the CF using CLI, you need to be in working directory where main.py and other files are located.