GCP Shared VPC Role Issue


I have a GCP service project attached to a GCP host project.

In my pipeline I get a service account key with roles/owner access to the service project.

When Terraform runs, I see this:

Error: Error reading Network Not Found : xpn0: googleapi: Error 403: Required 'compute.networks.get' permission for 'projects/<host project id redacted>/global/networks/xpn0', forbidden

xpn0 is a network in the host project.

I’m not quite sure how I can give permissions to Terraform to get access to this resource in the host project.

A Vault GCP roleset only allows binding roles to the service account.

I think I would somehow need to give permissions to the temporary Vault account in the host project, except that isn’t possible, because Vault uses dynamic names for the service accounts.

Since there is no provider associated with this shared VPC resource, I can’t provide alternative credentials to Terraform directly.

Any help would be greatly appreciated.