I have a problem with GCP iam policy cross project on the dns API (perhaps other api entry). For gcp management i use gcloud command and terraform.
Check my setup : A first gcp project : myproject-cloud. This project host a dns managed zone.
A second project (akecld-test-demo), with an account service. This account is used with terraform to create instance, disk etc... no problem with that. I play with gcloud to confirm wrong setup with dns api.
When i want add (or list) an entry in the dns zone (setup and hold in the first project) i have 403 error.
gcloud --account=provisioner@akecld-test-demo.iam.gserviceaccount.com dns managed-zones list --project=myproject-cloud
API [dns.googleapis.com] not enabled on project [xxxxxxxxx]....
dns api works with a service account who've created in the first project, but not a service account hosted in other project.
I have added iam policy:
gcloud projects add-iam-policy-binding myproject-cloud --member="serviceAccount:provisioner@akecld-test-demo.iam.gserviceaccount.com" --role="roles/dns.admin"
I don't find the right roles or policies to add..