is there a way to use your current credentials to assume a service account instead of having to use the json key?

My personal account is an admin in my gcp project.

If I want to use one of the service accounts I have created (from my local laptop) I do this:

gcloud auth activate-service-account --key-file=some-service-account.json

But I wonder, if I already have my own admin account active, is there a way to just assume a service account without the key? Can GCP use my current creds to give me access to assume that service account?

If so this also makes me wonder if I can use service accounts applied to GCE instances the same way. So I can attach a service account to a GCE instance that gives it access to assume other service accounts.

I think what you're looking for is "impersonation". You need roles like iam.serviceAccountUser to do this. Refer to these docs and articles:

• https://cloud.google.com/iam/docs/service-accounts#the_service_account_user_role

• https://medium.com/google-cloud/using-serviceaccountactor-iam-role-for-account-impersonation-on-google-cloud-platform-a9e7118480ed

• https://medium.com/google-cloud/impersonating-users-with-google-cloud-platform-service-accounts-ba762db09092