Impersonate Service Account in GCP
Grant a user (an on premises user) ONLY IMPERSONATION privileges
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT_EMAIL] \ --member user:[USER_CORP_EMAIL] \ --role roles/iam.serviceAccountTokenCreator
It’s possible to impersonate a Service Account from within your Terraform code. This is done by generating a short lived token for the SA. (Also read, Understanding Service Accounts in Google Cloud )
provider "google" {
scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/userinfo.email",
]
}
data "google_service_account_access_token" "default" {
provider = "google"
target_service_account = "impersonated-account@projectB.iam.gserviceaccount.com"
scopes = ["userinfo-email", "cloud-platform"]
lifetime = "300s"
}
data "google_client_openid_userinfo" "my_email" { }
output "source-email" {
value = "${data.google_client_openid_userinfo.my_email.email}"
}
provider "google" {
alias = "impersonated"
access_token = "${data.google_service_account_access_token.default.access_token}"
}
data "google_project" "project" {
provider = "google.impersonated"
project_id = "target-project"
}
Need help with your next steps? Ready to start a conversation?
Anuj Varma has helped create Cloud Centers of Excellence for PepsiCo, the State of Texas, Shell and other Fortune 100 Companies. Set up a 1 on 1 appointment with Anuj to assist with your cloud journey.
Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.
Leave a Reply