My personal account is an admin in my gcp project.
If I want to use one of the service accounts I have created (from my local laptop) I do this:
gcloud auth activate-service-account --key-file=some-service-account.json
But I wonder, if I already have my own admin account active, is there a way to just assume a service account without the key? Can GCP use my current creds to give me access to assume that service account?
If so this also makes me wonder if I can use service accounts applied to GCE instances the same way. So I can attach a service account to a GCE instance that gives it access to assume other service accounts.
I think what you're looking for is "impersonation". You need roles like iam.serviceAccountUser
to do this. Refer to these docs and articles: