Solved: Impersonating service agent

minjee · 11-16-2023 07:24 PM

Hi,

Is it possible for users to gain permissions to impersonate a Service Agent account (e.g. AI Platform Service Agent)? I tried using Service Account User role for a project but I wasn't able to impersonate any service agents associated with the project.

Just a note, I don't have a use case that requires this permission - this is just to verify from security side if it is at all possible to do this so we can put monitoring around it.

Thanks!

lawrencenelson

Hi @minjee,

Welcome to the Google Cloud Community!

In GCP, users can impersonate custom service accounts if they're assigned the "Service Account User" role, allowing them to perform actions on behalf of these accounts. However, this does not typically apply to Per-Product Per-Project Service Accounts (P4SAs), also known as service agents. These special accounts are automatically created by Google Cloud for specific services (like AI Platform) and have restricted impersonation capabilities to ensure security. Direct impersonation of P4SAs by users is generally not allowed, safeguarding the privileged operations these service agents perform.

View solution in original post

lawrencenelson

Hi @minjee,

Welcome to the Google Cloud Community!

In GCP, users can impersonate custom service accounts if they're assigned the "Service Account User" role, allowing them to perform actions on behalf of these accounts. However, this does not typically apply to Per-Product Per-Project Service Accounts (P4SAs), also known as service agents. These special accounts are automatically created by Google Cloud for specific services (like AI Platform) and have restricted impersonation capabilities to ensure security. Direct impersonation of P4SAs by users is generally not allowed, safeguarding the privileged operations these service agents perform.