GCP service account issue

Question

I have 2 projects

Under project 1 : I have created a service account.

Under project 2 : I have enable dataflow service API. I have added the service account(which was created under project 1) with owner role .

Issue

I have authenticated successfully into project 2 using python. When I try to create, list dataflow services under the project 2

"403 Dataflow API has not been used in project "project1" before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/dataflow.googleapis.com/overview?project=project1 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry."

However I enabled the dataflow API service in project1 and now able to access it under project 2.

Is it that we need to enable the Dataflow API service in project1 in order to use it in project 2 ?Is this how it works? Is there a better way/ right way to solve this?

I don't want to keep enabling service in a project which I don't need to use.

Answer 1

Create a separate service account specifically for Project 2 and grant it the necessary permissions to access the Dataflow service in that project. This way, you would not need to enable the Dataflow API in Project 1.

Alternatively, you could use a Shared VPC setup and give access to a project to another project's service account by adding the service account to the IAM roles of the other project's Shared VPC host project. This way the service account doesn't need to be enabled for the dataflow API in both projects.