Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

IAM Impersonation -- gcloud auth list is unclear

gcloud makes debugging permissions difficult during impersonation because it does not show the impersonated account.  Instead, gcloud-auth-list is showing the user account . This leads to confusion and security issues. 

GCP has ample documentation to encourage using POLP service accounts, but the tooling makes this difficult.

STEPS TO REPEAT

1. impersonate command with gcloud  auth application-default login --impersonate-service-account

gcloud auth application-default login --impersonate-service-account dev-gcloud-go@dev-tonym-us.iam.gserviceaccount.com

2. See which account is active: 

$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* PERSONAL_ACCOUNT@gmail.com
nps-public-data-loader@nps-public-data.iam.gserviceaccount.com


ACTUAL RESULTS

Personal account is shown, despite the impersonated account being active . 

EXPECTED RESULTS

There should be an indicator that the impersonated service account is active. 

WORKAROUNDS

I can inspect the APPLICATION_DEFAULT_CREDENTIALS manually to see what is active


$cat ${HOME}/.config/gcloud/application_default_credentials.json|grep service
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/dev-SERVICE_ACCOUNT@${PROJECT}.iam.gserviceaccount.com:generateAccessToken",
"type": "impersonated_service_account"

 

1 0 358
0 REPLIES 0