9

gcloud has a --impersonate-service-account flag
gsutil has a -i flag

But I want to configure impersonation once in my current session and then know that all future commands are using that service account. So what I want is to gcloud activate-service-account some-service-account-to-impersonate WITHOUT a static key. Is this possible? Can gcloud setup impersonation for my current session like this without me having to specify --impersonate-service-account for every command?

Additionally I want to develop locally and run my app locally as a service account using impersonation. If I have the app configured to use implicit creds (google SDK should look for GOOGLE_APPLICATION_CREDENTIALS or use the user's oath creds by default) I'm thinking it would be possible to run gcloud activate-service-account with impersonation then run my app in that same session and it will run with the impersonated account.

EDIT: per comments looks like this is what I want: gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]

halfer
  • 19,824
  • 17
  • 99
  • 186
red888
  • 27,709
  • 55
  • 204
  • 392

1 Answers1

15

I wrote an article that goes into detail on how to setup and use service account impersonation.

Google Cloud – Improving Security with Impersonation

To configure the CLI to use impersonation by default:

gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]

To clear this setting

gcloud config unset auth/impersonate_service_account
John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 1
    Just asked another question about how to do this inside a container. so developers can run apps locally in containers and still do impersonation the same way: https://stackoverflow.com/questions/61345638/how-can-i-get-my-gcloud-user-creds-into-a-container-securely-and-use-them-to-imp – red888 Apr 21 '20 at 14:14