GCP - IAM
Principals, Roles, Permissions
- a role can have multiple permissions
- a role can be granted to a principal
- a principal can be a user, a service account, a group, etc
Service account impersonation
What is Service account impersonation?
Impersonating the service account =
- A user gains permissions of a service account, or
- A service account A gains permissions of service account B.
When to impersonate a service account?
- change a user's permissions without changing your IAM policies.
- temporarily grant a user elevated access.
- test whether a specific set of permissions is sufficient for a task.
- locally develop applications that can only run as a service account.
- authenticate applications that run outside of Google Cloud.
How does impersonation work?
Technically "impersonation" means granting the principal (a user or another service account) the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) on the service account. So that the authenticated principal gets a token for the service account, then uses that token to authenticate as the service account.
How to impersonate a service account?
- using
gcloudcommand with--impersonate-service-account, the CLI creates short-lived credentials for the service account and runs the command with those credentials. - The Cloud Client Libraries use Application Default Credentials (ADC) to obtain short-lived credentials for the service account.
What's the equivelant concept in AWS?
Google Cloud service account impersonation is similar to Amazon Web Services (AWS) Security Token Service API methods like AssumeRole.
What is Workload Identity Federation?
- Workload Identity Federation: workload running in AWS/Azure can access Google Cloud resources
- e.g. a VM running on AWS writes result to a GCS bucket.
- Workload Identity Federation for GKE: workload running in GKE can access Google Cloud resources.
- Kubernetes service accounts (which is different from GCP service account) in the GKE cluster can access Google Cloud resources directly.