I have a service perimeter created on projects holding Cloud Composer.
The VPC SC Logs snippet are below,
"authenticationInfo": {"principalEmail": "service-org-<ORG_ID>@security-center-api.iam.gserviceaccount.com" },"requestMetadata": {"callerIp": "private","requestAttributes": {},"destinationAttributes": {} },"serviceName": "compute.googleapis.com","methodName": "compute.beta.DisksService.Insert","resourceName": "projects/<CloudComposerProjectNumber>","violationReason": "RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER","egressViolations": [ {"source": "projects/<CloudComposerProjectNumber>","sourceType": "Resource","servicePerimeter": "accessPolicies/number/servicePerimeters/perimeter_name","targetResource": "projects/<ProjectNumbernotfound>" } ]I feel the error is because I don't have any access level defined for these Google Owned Service Accounts.But since the violation reason is NOT_IN_SAME_SERVICE_PERIMETER I don't think that is the reason.The target project number is not found in my estate. Could it be external or google owned?I tried adding egress rule for identity "service-org-<ORG_ID>@security-center-api.iam.gserviceaccount.com" but it is failing Error 400: The email address 'service-org-<ORG_ID>@security-center-api.iam.gserviceaccount.com ' is invalid or non-existent.
Not sure if anyone has something similar