While a user account impersonates a service account to call a GCP API or gcloud command, does the request have the union of permissions for both the user account and the service account?
For example, if the request returns a 403 error such as:
Error: Error enabling Shared VPC Host "{project}": googleapi: Error 403: Required 'compute.organizations.enableXpnHost' permission for 'projects/{project}', forbidden
Would it make any difference to the result of this call whether I added the permission to the user account or the service account?
The response doesn't say whether it's the service account or the principal who lacks the permission.
Obviously, it affects the wider security context - i.e. if I add the permission to my user account, then only I can perform that task (on any resource I can access), but if I add it to the service account, then anyone who can impersonate that service account can perform the task (on any resource the service account can access). But does it affect the specific API?
