I would like to allow users to impersonate a service account to do operations on a long running process. However, all the code examples illustrate a service account impersonating another service account.
Can users directly impersonate a service account? If so, how?
I'm following this example code.
Initialize a source credential which does not have access to list bucket:
from google.oauth2 import service_acccount
target_scopes = [
'https://www.googleapis.com/auth/devstorage.read_only']
source_credentials = (
service_account.Credentials.from_service_account_file(
'/path/to/svc_account.json',
scopes=target_scopes))
Now use the source credentials to acquire credentials to impersonate another service account:
from google.auth import impersonated_credentials
target_credentials = impersonated_credentials.Credentials(
source_credentials=source_credentials,
target_principal='impersonated-account@_project_.iam.gserviceaccount.com',
target_scopes = target_scopes,
lifetime=500)
Instead of trying to impersonate a service account from a user account, grant the user permission to create a service account OAuth access token.
Grant the user the role roles/iam.serviceAccountTokenCreator on the service account. This role is called "Service Account Token Creator" in the web console.
Call the API generateAccessToken to create an access token from the service account.
projects.serviceAccounts.generateAccessToken
A simple HTTP POST request will return an access token. Modify the following request with the service account email address.
POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE-ACCOUNT-NAME@PROJECTID.iam.gserviceaccount.com:generateAccessToken
Request Body:
{
"delegates": [],
"scope": [
"https://www.googleapis.com/auth/cloud-platform"
],
"lifetime": "3600s"
}
This API requires authorization. Include the user's OAuth access token in the HTTP Authorization header.
Authorization: Bearer ACCESS_TOKEN
Response Body:
{
"accessToken": "eyJ0eXAifeA...NiK8i",
"expireTime": "2020-03-05T15:01:00.12345678Z"
}