This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

IAM Impersonation -- gcloud auth list is unclear

Posted on 11-05-2024 03:17 PM
tonymet
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

gcloud makes debugging permissions difficult during impersonation because it does not show the impersonated account.  Instead, gcloud-auth-list is showing the user account . This leads to confusion and security issues. 

GCP has ample documentation to encourage using POLP service accounts, but the tooling makes this difficult.

STEPS TO REPEAT

1. impersonate command with gcloud  auth application-default login --impersonate-service-account

gcloud auth application-default login --impersonate-service-account dev-gcloud-go@dev-tonym-us.iam.gserviceaccount.com

2. See which account is active: 

$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* PERSONAL_ACCOUNT@gmail.com
nps-public-data-loader@nps-public-data.iam.gserviceaccount.com


ACTUAL RESULTS

Personal account is shown, despite the impersonated account being active . 

EXPECTED RESULTS

There should be an indicator that the impersonated service account is active. 

WORKAROUNDS

I can inspect the APPLICATION_DEFAULT_CREDENTIALS manually to see what is active


$cat ${HOME}/.config/gcloud/application_default_credentials.json|grep service
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/dev-SERVICE_ACCOUNT@${PROJECT}.iam.gserviceaccount.com:generateAccessToken",
"type": "impersonated_service_account"

 

1 0 358
Topic Labels
0 REPLIES 0
Top Solution Authors
View all