The documentation for the Service Account User role is a bit confusing.
https://cloud.google.com/iam/docs/service-accounts#user-role
Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.
Based on this, I assume that by granting my account the Service Account User role on a service account that is owner, I should be able to impersonate that service account from the command line and run gcloud commands with the inherited permissions of the service account
gcloud init # login to my account that has the user role on the SA
gcloud set config auth/impersonate_service_account <service-account-email>
gcloud compute instances list
> WARNING: This command is using service account impersonation. All API calls will be executed as [<service-account>@<project>.iam.gserviceaccount.com].
> ERROR: (gcloud.compute.instances.list) Failed to impersonate [<service-account>@<project>.iam.gserviceaccount.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
So I removed the User role and assigned myself the Token Creator role. Works as expected. Why does the description for the User role sound like its the role I'm meant to be using but it seems like Token Creator is the only one I need?
So despite the confusion of the GCP docs, I think I was able to reach a conclusion on the difference between:
As an example, if I wanted to deploy a GKE cluster but specify a service account for the nodes to use other than the default service account I would add the flag:
gcloud containers cluster create my-cluster --service-account=<service-account>
For me to do this I would at a minimum require Service Account User on the service account I am attempting to assign to the resources. This role appears to also be used in other cases such as executing code on a VM and using the VMs identity instead(??).
If I wanted to deploy the cluster using the service account credentials (ie. Not my own account), I would use impersonation which requires the Token Creator role. I might want to do this because my personal account doesn't have permission to deploy clusters but the SA does.
gcloud containers cluster create my-cluster --impersonate-service-account=<service-account>
This would build the cluster and log the action as that of the service account, not my personal account.
Please correct me if I'm wrong.