How can I allow a user to become an actor of a service account in Google Cloud Platform (GCP)?

Question

I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:

$ gcloud projects get-iam-policy myproject
bindings:
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/editor
- members:
  - user:me@myemail.com
  role: roles/owner
- members:
  - serviceAccount:bucket-viewer-service-account@myproject.iam.gserviceaccount.com
  role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1

I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:

$ gcloud iam service-accounts add-iam-policy-binding \
    bucket-viewer-service-account@myproject.iam.gserviceaccount.com \
    --member='user:test.gcp1@myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
  - user:user:test.gcp1@myemail.com
  role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=

Is that all I have to do so that the user test.gcp1@myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?

I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.

Answer 1

Apparently, the test.gcp1@myemail.com will not be able to get the privileges this way when you're running commands from your Terminal. A straightforward solution to this problem is to create and use Keys (similar to "Access Keys" in AWS). The following steps describe how you can achieve this:

1. Create "Keys" for your service account:

   gcloud iam service-accounts keys create KEY-FILE-NAME.json --iam-account=SA-NAME@PROJECT-ID.iam.gserviceaccount.com

2. Load the "Keys" in your terminal by adding the following environment variable (in .bashrc or equivalent file for your OS):

   export GOOGLE_APPLICATION_CREDENTIALS="/file-location/KEY-FILE-NAME.json"

3. Open a new terminal (or source your environment variable file) and execute CLI commands which will now be executed as your service account.

PS: Do note that the creation of "Keys" poses a considerable risk to the security of your cloud account. Ensure that the service account has minimum GCP Roles (i.e. privileges/policies) added and make sure to delete the keys when they are no longer required.

Answer 2

iam.serviceAccountActor role deprecated, you need to use Service Account User role

See More details

Answer 3

Giving a user the Service Account Actor role does not give access transitively, like you're suggesting. Instead, it allows a user to "use" the service account to start long-running jobs (e.g. creating a compute engine instance) that have that service account as an identity.

Answer 4

The iam.serviceAccountActor role gives users the ability to create and manage compute engine instances that use a service account.

I could be misunderstanding something, but if you want to give someone permission to directly act as a service account, the most straightforward way would probably be to create a private key file for the service account that represents that particular user acting as that service account, and then giving them that private key file.