Is there a way to use gsutil while impersonating a service account?

Question

I am in the process of attempting to adjust user permissions in Google Cloud and have created a service account that other users can impersonate to access various projects. The gcloud command has the --impersonate-service-account option to make API calls with the proper authentication, but I was wondering if anyone knows how to make such calls using gsutil.

Here's an example of what a successful call looks like using gcloud:

gcloud --impersonate-service-account=superuser@PROJECT1.iam.gserviceaccount.com iam service-accounts list --project PROJECT2

score 15 · Accepted Answer · edited Jan 13 '20 at 17:17

15

Yes, here's the option:

$ gsutil -i [SERVICE-ACCOUNT]@[PROJECT] [GSUTIL-COMMAND]

Example:

$ gsutil -i myserviceaccount@iam.gserviceaccount.com ls

edited Jan 13 '20 at 17:17

Das_Geek

2,775
7
20
26

answered Jan 13 '20 at 16:31

Fer

166
1
2

score 3 · Answer 2 · answered Jun 19 '19 at 03:34

There is no such option in the top-level gsutil command-line options (at least not a documented one).

By contrast the gcloud --impersonate-service-account is documented.

Things to try:

if you use the gsutil distributed with the gcloud SDK - it has some ability to use the credentials established by gcloud auth, see Configuring/Using Credentials Via Cloud Sdk Distribution Of Gsutil
if you use the standalone version, check the gsutil config command, which should allow specifying a service account credentials (see also Updating To The Latest Configuration File):

-e Prompt for service account credentials. This option requires that -a is not set.

I previously tried the things you suggested and have come to a similar conclusion that as of now, no such feature exists. I opened this issue on the gsutil github project: https://github.com/GoogleCloudPlatform/gsutil/issues/813 Thanks! — bboe, Jun 19 '19 at 05:03

Is there a way to use gsutil while impersonating a service account?

2 Answers2