2

On GCP document:

Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.

So I would like to try this feature:

  1. Create a project
  2. Add testuser@example.com to the project and grant Viewer role.
  3. Open a new browser and login into GCP console with testuser, and confirmed that the user can only view instances and cannot create instance.
  4. Add a service account: sa-name@project-id.iam.gserviceaccount.com, and grant Compute Admin role, so this service account can create instance.
  5. Grant testuser@example.com with service account user role to this service account.

So per above GCP document, I expect testuser@example.com can create instance, but the Create instance button remains disabled.

Then I grant testuser@example.com with service account user role in project level, still the Create instance button remains disabled.

So what is wrong?

  1. Am I understanding wrong? grant testuser@example.com with service account user role does not give testuser the ability to create instance?

  2. Am I doing something wrong?

  3. How can I create instance by service account user?

vego
  • 889
  • 1
  • 8
  • 20
  • 1
    IAM permissions granted on a SA are not transitively granted to a user. Instead you need to explicitly impersonate the SA in your commands. See this post https://stackoverflow.com/questions/50921909/how-to-invoke-gcloud-with-service-account-impersonation. – Patrick Magee Jul 16 '20 at 01:09

1 Answers1

4

The impersonate works with the command line when you explicitly ask the gcloud CLI to use impersonification. But it's not active by default and thus doesn't work on the GUI.

Try a gcloud command with the param --impersonate-service-account=<ServiceAccountEmail>

Note: you need to grant the "service usage consumer" role on the user at the project level, and the "service account token creator" role on the user at the service account level (or at the project level if you want to impersonate all the service account of the project). More detail in this blog post of John Hanley

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • The question is specifically about using the "Service Account User" role -- those other roles do indeed work with impersonation, but that's apparently distinct from whatever relies on the "iam.serviceAccounts.actAs" permission from "Service Account User". –  Oct 01 '21 at 17:10