Starting with this:
gcloud config set
auth/impersonate_service_account [SA_FULL_EMAIL] and it can be run
with the same creds as what will run in the dev environment- without them having to download any keysNow that works. BUT I also want to make it possible to run the applications locally in containers too. Using docker/docker-compose/minikube/etc how can I make it possible to impersonate a service account?
the container would need access to the gcloud creds and it would need to set impersonation in the session too before the app starts somehow. This must not be done in code- the app should just use the APIs as normal without having to do anything differently.
EDIT: when applications run in dev or prod GCP accounts/projects they run in the context of a service account that has correctly scoped permissions for that specific application. Developer's own user accounts have broad permissions to the dev environment. When running locally its useful to run with the same service account that application runs with in the dev environment instead of the developer's own user account
I'm amending my answer.
This only works for the CLI not the SDK: gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]
For a while the SDK didn't support impersonation like this (afaik) but I recently found now it does with this command: gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAIL. Docs
So this is now possible and all users have to do is:
$HOME/.config/gcloud into the running containerSDK running in the container will find the impersonated creds and everything just works.
Only thing is this is that its annoying and I don't know how to turn it off. The cli lets you do this with a single command but for the SDK you need to login via a browser and authorize it. The only way I have found to turn it off is to re-login without the impersonation flag. Is there just a command to turn on/off impersonation for the SDK without the whole login thing?