GCP Allow service-account-a to impersonate service-account-b

Question

I know you can allow members to impersonate service accounts in GCP. Is it possible to allow one service account to impersonate another?

My use case is I have compute instances used for CI (running without many privileges) under service-account-a@mydomain.google.com.

I need them to be able to impersonate service-account-b@mydomain.google.com, which has privileges on the resources and objects it will deploy.

Is that possible?

Answer 1

Yes, you can grant permission for a service account (SA_A) to impersonate another service account (SA_B).

This requires that the service account (SA_A) possess the Service Account Token Creator role roles/serviceAccountTokenCreator on the resource SA_B.

The following grants SA_A to impersonate SA_B:

gcloud iam service-accounts add-iam-policy-binding [SA_B_FULL_EMAIL] \
--member serviceAccount:[SA_A_FULL_EMAIL] \
--role roles/iam.serviceAccountTokenCreator

REQUIREMENTS

The user executing the above command requires a number of items:

The following APIs must be enabled:

• iamcredentials.googleapis.com
• cloudresourcemanager.googleapis.com

These commands enable the APIs:

• gcloud services enable iamcredentials.googleapis.com
• gcloud services enable cloudresourcemanager.googleapis.com

The user requires the role roles/serviceusage.serviceUsageConsumer.

gcloud projects add-iam-policy-binding [PROECT_ID] \
--member "[ACCOUNT]" \
--role "roles/serviceusage.serviceUsageConsumer"

gcloud iam service-accounts add-iam-policy-binding

Google Cloud – Improving Security with Impersonation

Managing service account impersonation