gcloud makes debugging permissions difficult during impersonation because it does not show the impersonated account. Instead, gcloud-auth-list is showing the user account . This leads to confusion and security issues.
GCP has ample documentation to encourage using POLP service accounts, but the tooling makes this difficult.
1. impersonate command with gcloud auth application-default login --impersonate-service-account
gcloud auth application-default login --impersonate-service-account dev-gcloud-go@dev-tonym-us.iam.gserviceaccount.com
2. See which account is active:
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* PERSONAL_ACCOUNT@gmail.com
nps-public-data-loader@nps-public-data.iam.gserviceaccount.com
Personal account is shown, despite the impersonated account being active .
There should be an indicator that the impersonated service account is active.
I can inspect the APPLICATION_DEFAULT_CREDENTIALS manually to see what is active
$cat ${HOME}/.config/gcloud/application_default_credentials.json|grep service
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/dev-SERVICE_ACCOUNT@${PROJECT}.iam.gserviceaccount.com:generateAccessToken",
"type": "impersonated_service_account"