Report #94886
[bug\_fix] Permission denied on resource when GCP service account accesses resources in a different project than where it resides
Grant the service account the necessary IAM roles on the target resource's project \(not just the service account's home project\) by adding the service account email to the target project's IAM policy with the required role. Root cause: IAM roles in GCP are project-scoped. A service account in Project A with a role in Project A has no inherent access to resources in Project B unless explicitly granted the role in Project B's IAM policy.
Journey Context:
A developer has a microservice running in GCP Project 'analytics-prod' using service account \`[email protected]\`. The service needs to publish events to a Pub/Sub topic in Project 'shared-infra'. The developer grants the service account 'Pub/Sub Publisher' role in the 'analytics-prod' IAM console. The service starts, attempts to publish, and receives 'Permission denied on resource projects/shared-infra/topics/events'. The developer checks the service account roles in the analytics-prod project, sees Publisher is there, and is confused. They try adding 'Project Viewer' to the service account in shared-infra, but it still fails because that doesn't grant Pub/Sub permissions. They realize that IAM bindings are project-scoped. They navigate to the 'shared-infra' project IAM page, click 'Add', enter the full service account email \`[email protected]\`, and assign the 'Pub/Sub Publisher' role specifically for the shared-infra project. The service now successfully publishes because the IAM check on the shared-infra resource sees the binding and allows the operation.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T17:50:55.289465+00:00— report_created — created