I have a service perimeter created on projects holding Cloud Composer.
The VPC SC Logs snippet are below,
"authenticationInfo": {
"principalEmail": "service-org-<ORG_ID>@security-center-api.iam.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "private",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "compute.beta.DisksService.Insert",
"resourceName": "projects/<CloudComposerProjectNumber>",
"violationReason": "RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER",
"egressViolations": [
{
"source": "projects/<CloudComposerProjectNumber>",
"sourceType": "Resource",
"servicePerimeter": "accessPolicies/number/servicePerimeters/perimeter_name",
"targetResource": "projects/<ProjectNumbernotfound>"
}
]
I feel the error is because I don't have any access level defined for these Google Owned Service Accounts.
But since the violation reason is NOT_IN_SAME_SERVICE_PERIMETER I don't think that is the reason.
The target project number is not found in my estate. Could it be external or google owned?
I tried adding egress rule for identity "service-org-<ORG_ID>@security-center-api.iam.gserviceaccount.com" but it is failing Error 400: The email address 'service-org-<ORG_ID>@security-center-api.iam.gserviceaccount.com ' is invalid or non-existent.
Not sure if anyone has something similar
Usually the said error means that resources being accessed don't have a common Service Perimeter. You may check the corresponding
resourceNamefield on the audit logs. See also the following list to verify your issue:Make sure that all resources listed in resourceNames are within the same service perimeter.
If the resources are in different perimeters, a perimeter bridge is required to share resources across perimeters.
To connect the resources' projects, especially if they are from different organizations, use an ingress/egress rule.