Reputation: 1
Can I use GCP VPC Service Control Access Level and Ingress/Egress policies both at the same time?
We have an exisiting VPC SC around multiple projects with an Access Level that allows SA1 to access restricted services. Now we are trying add an ingress rule to allow with SA2. We have defined correct ingress_from (source project and service account as identity ) and ingress_to (resources and service name with all method allowed ) but still getting error " "violationReason": "NO_MATCHING_ACCESS_LEVEL". My questions are:
Do I need allow SA2 also in the access level but won't it give access to all of the projects instead of one defined in ingress rule.
Do I need to have an access level with SA If I need to allow service account as Identity in Ingress rule.
Upvotes: 0
Views: 1340
Answers (1)
Reputation: 1
It should work with ingress policy (i.e. source project and service account as identity), you dont need to pass access level. If it is not working then either the source of request is not the mentioned project or some problem with VPC SC and should be investigated by Google.
Upvotes: 0
Related Questions
- Shared VPC and VPC Peering mix
- How to configure Firewall Rules and DNS settings on GCP with VPC Service Controls when using Cloud Composer and Cloud Functions in the same project?
- How to restrict users to single VPC in Google cloud platform?
- Can peered VPCs use firewall rules that reference tags and service accounts?
- GCP VPC Peering (auto-mode)
- GCP: Can Functions that use Serverless VPC Access also enjoy Private Google Access
- VPC Service Control for GCR
- GCP VPC Service Control: Allow access to a subset of Service Projects that belong to the same Host Project
- GCP Organization wide service
- Allow one VPC and deny others in a VPC Service Perimeter GCP