Setting up service accounts between two projects

Question

I have two GCP projects, one for continuous integration builds, and one for the team project.

com-build : contains

• triggers on code-repository
• docker images

service account : 1234@cloudbuild.gserviceaccount.com with roles service-account-administrator and cloudbuild-service-account

g iam service-accounts get-iam-policy 1234@cloudbuild.gserviceaccount.com --project=com-build

--> etag: ACAB

com-project: contains

• templates for VM
• VMs

service account : 5678-compute@developer.gserviceaccount.com with roles service-account-administrator and compute-instance-administrator

g iam service-accounts get-iam-policy 5678-compute@developer.gserviceaccount.com --project=com-project

--> etag: ACAB –

I setup the cloudbuild.json file to update its container on code push, like this :

{
  "steps": [
    {
      "name": "gcr.io/cloud-builders/docker",
      "args": [
        "build",
        "-t",
        "****:latest",
        "."
      ]
    },
    {
      "name": "gcr.io/cloud-builders/docker",
      "args": [
        "push",
        "***:latest"
      ]
    },
    {
      "name": "gcr.io/cloud-builders/gcloud",
      "args": [
        "compute",
        "instances",
        "update-container",
        "***",
        "--project=com-project",
        "--zone=somewhere"
      ]
    }
  ]
}

I get the following error :

ERROR: (gcloud.compute.instances.update-container) The user does not have access to service account '5678-compute@developer.gserviceaccount.com'. User: '1234@cloudbuild.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account

But both service-accounts have the role (I checked 20 times on iam settings) am I missing something ?

Answer 1

Found my problem :
1234@cloudbuild.gserviceaccount.com had to have access to Editor's role, in order to edit ressources in the other project