We are currently running a process in a CI pipeline, this CI pipeline deploys resources to Google Cloud Platform (GCP) and then invokes a cloud function. One of the scripts that we run as part of this deployment issues this:
gcloud --impersonate-service-account "$DEPLOYER_SA" functions call "$FUNCTION_NAME" --region "$REGION" --project "$PROJECT_ID" --data {}
however it fails with error:
WARNING: This command is using service account impersonation. All API calls will be executed as [deployer-dev@redacted-project-name.iam.gserviceaccount.com].
ERROR: (gcloud.functions.call) Failed to impersonate [deployer-dev@redacted-project-name.iam.gserviceaccount.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
In other words the service account being impersonated is the same service account that is running the script (I won't go into why this is the case - there are reasons).
My question is...I'm quite surprised that a service account cannot impersonate itself. Why would it not be able to do this?
Have you granted the role Service Account Token Creator to your service account?
You can do this by going to IAM -> Service Accounts -> Select the service account (deployer-dev@redacted-project-name.iam.gserviceaccount.com) -> Permissions -> Grant Access -> New Members (add the same account deployer-dev@redacted-project-name.iam.gserviceaccount.com) -> Role add Service Account Token Creator -> Save
Hope this information is helpful to you.