google/oauth2l

Support Service Account Impersonation

andyrzhao opened this issue · 2 comments

We would like to support service account impersonation, which allows users to exchange access tokens to act as service accounts.

The command may look like:

oauth2l fetch --scope cloud-platform --impersonated-service-account [SERVICE_ACCOUNT]

The command will return a short-term access token to act as the service account specified.

Implementation wise, this command will call the IAM generateAccessToken API method.

We should also consider supporting the reverse - "service account impersonating user account".

Looks like there is a pre-requisite for running "add-iam-policy-binding" to bind user to service account, and gcloud is the only tool that can do that AFAIK":

gcloud iam service-accounts add-iam-policy-binding 113258942105700140798 --member="user:andyzhao@google.com" --role="roles/iam.serviceAccountTokenCreator" --project andyzhaotest

Afterwards, service account impersonation can be done through:

curl -H "Authorization: Bearer redacted" -X POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/113258942105700140798:generateAccessToken -d "scope=https://www.googleapis.com/auth/cloud-platform"

Implemented via #108