CODEWITHSUNDEEP
google-cloud-platformgcloudimpersonationservice-accountsgoogle-cloud-iam
Rakib
Rakib

Reputation: 13085

Cannot impersonate GCP ServiceAccount even after granting "Service Account Token Creator" role

I have 2 ServiceAccounts in my Google Cloud Platform (GCP) Project

The owner ServiceAccount has 1 project-wide role attached to it:

The executor ServiceAccount has ONLY 2 specific roles attached to it (as shown below):

enter image description here

Now, I have a JSON key file of the Executor ServiceAccount. I will be using that credential file to "impersonate" the Owner ServiceAccount. And then I will run gcloud commands.

Here is what i am doing.

#!/bin/bash

# --------------------------------------------------------------

export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/my-executor-sa-key.json"
echo $GOOGLE_APPLICATION_CREDENTIALS
cat $GOOGLE_APPLICATION_CREDENTIALS

OWNER_EMAIL="[email protected]"
echo $OWNER_EMAIL

# --------------------------------------------------------------

CLUSTER="my-k8s-cluster"
ZONE="asia-east1-a"
PROJECT="my-gcp-project"

MY_COMMAND="gcloud container clusters get-credentials ${CLUSTER} --zone ${ZONE} --project ${PROJECT} --impersonate-service-account=${OWNER_EMAIL}"
echo $MY_COMMAND

# --------------------------------------------------------------

`$MY_COMMAND`

# --------------------------------------------------------------

Upon running the above, here is the output I am getting


# --------------------------------------------------------------

/Users/rakib/tmp/my-executor-sa-key.json
{
  "type": "service_account",
  "project_id": "my-gcp-project",
  "private_key_id": "3208--------------------------------5d63",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEv\n----\nEAE9S\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "1099--------------5533",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/executor%40my-gcp-project.iam.gserviceaccount.com"
}

[email protected]

# --------------------------------------------------------------

gcloud container clusters get-credentials my-k8s-cluster --zone asia-east1-a --project my-gcp-project --impersonate-service-account=owner@my-gcp-project.iam.gserviceaccount.com

# --------------------------------------------------------------

WARNING: This command is using service account impersonation. All API calls will be executed as [[email protected]].
ERROR: (gcloud.container.clusters.get-credentials) Failed to impersonate [[email protected]]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.

What am I missing here? I have indeed granted the Executor ServiceAccount with roles/iam.serviceAccountTokenCreator role on the Owner ServiceAccount.

Why can't it impersonate then?

Upvotes: 5

Views: 17577

Answers (1)

Rakib
Rakib

Reputation: 13085

Turns out, I needed to add the gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS command (more details here). Setting the $GOOGLE_APPLICATION_CREDENTIALS environment variable alone was not enough for the gcloud CLI tool.

All along, I knew that having the ServiceAccount path in $GOOGLE_APPLICATION_CREDENTIALS would suffice. Everywhere i read i see that ADC uses $GOOGLE_APPLICATION_CREDENTIALS for that:

However, turns out gcloud does not use ADC then. The ADC is used only by the client-libraries like C#, Java, Python, Go, Ruby etc.

I have filed a new case in google's issue-tracker for Google to help improve their documentation to avoid mixup / confusion.

Upvotes: 7

Related Questions