Grant a user (an on premises user) ONLY IMPERSONATION privileges

gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT_EMAIL] \
--member user:[USER_CORP_EMAIL] \
--role roles/iam.serviceAccountTokenCreator

It’s possible to impersonate a Service Account from within your Terraform code. This is done by generating a short lived token for the SA.  (Also read, Understanding Service Accounts in Google Cloud )

provider "google" {
    scopes = [
    "https://www.googleapis.com/auth/cloud-platform",
    "https://www.googleapis.com/auth/userinfo.email",
  ]
}

data "google_service_account_access_token" "default" {
 provider = "google"
 target_service_account = "impersonated-account@projectB.iam.gserviceaccount.com"
 scopes = ["userinfo-email", "cloud-platform"]
 lifetime = "300s"
}

data "google_client_openid_userinfo" "my_email" { }

output "source-email" {
  value = "${data.google_client_openid_userinfo.my_email.email}"
}

provider "google" {
   alias  = "impersonated"
   access_token = "${data.google_service_account_access_token.default.access_token}"
}

data "google_project" "project" {
  provider = "google.impersonated"
  project_id = "target-project"
}

Need help with your next steps? Ready to start a conversation?

Anuj Varma has helped create Cloud Centers of Excellence for PepsiCo, the State of Texas, Shell and other Fortune 100 Companies.  Set up a 1 on 1 appointment with Anuj to assist with your cloud journey.



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.