Go GCP Impersonate two service accounts at the same time

Question

I have two different GCP projects and am trying to clone a persistent disk from one project to the other. I have a service account in each project, and I need to create an impersonation token that will allow me to read the persistent disk from one project, and create a new persistent disk resource in the other project.

• Project A -> Service Account A
• Project B -> Service Account B

The problem is that impersonating one or the other service accounts to create the persistent disk does not work because a single API call needs to read the disk from Project A and create a new disk in Project B. In other words, I need to make an API call using a single impersonated token that has permissions to both. How can I do this with the Go API client?

Here is my impersonation code as it stands today

func Impersonate(ctx context.Context, principle string, credentials []byte) (*oauth2.Token, error) {​​​​
   source, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{​​​​
      TargetPrincipal: principle,
      Scopes:          []string{​​​​"https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/cloud-platform"}​​​​,
   }​​​​, option.WithCredentialsJSON(credentials))
   if err != nil {​​​​
      return nil, fmt.Errorf("creating impersonated token source: %w", err)
   }​​​​
   return source.Token()
}​​​​

Answer 1

You can only impersonate one identity at a time. The correct method is to use a service account that has permissions in both projects.