google-cloud-platformgcloudgoogle-iam

is there a way to use your current credentials to assume a service account instead of having to use the json key?


My personal account is an admin in my gcp project.

If I want to use one of the service accounts I have created (from my local laptop) I do this:

gcloud auth activate-service-account --key-file=some-service-account.json

But I wonder, if I already have my own admin account active, is there a way to just assume a service account without the key? Can GCP use my current creds to give me access to assume that service account?

If so this also makes me wonder if I can use service accounts applied to GCE instances the same way. So I can attach a service account to a GCE instance that gives it access to assume other service accounts.


Solution

  • I think what you're looking for is "impersonation". You need roles like iam.serviceAccountUser to do this. Refer to these docs and articles: