Support Service Account Impersonation
andyrzhao opened this issue · 2 comments
We would like to support service account impersonation, which allows users to exchange access tokens to act as service accounts.
The command may look like:
oauth2l fetch --scope cloud-platform --impersonated-service-account [SERVICE_ACCOUNT]
The command will return a short-term access token to act as the service account specified.
Implementation wise, this command will call the IAM generateAccessToken API method.
We should also consider supporting the reverse - "service account impersonating user account".
Looks like there is a pre-requisite for running "add-iam-policy-binding" to bind user to service account, and gcloud is the only tool that can do that AFAIK":
gcloud iam service-accounts add-iam-policy-binding 113258942105700140798 --member="user:andyzhao@google.com" --role="roles/iam.serviceAccountTokenCreator" --project andyzhaotest
Afterwards, service account impersonation can be done through:
curl -H "Authorization: Bearer redacted" -X POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/113258942105700140798:generateAccessToken -d "scope=https://www.googleapis.com/auth/cloud-platform"