Service Account Impersonation: Service account impersonation is when a principal (user or service account) acts as another service account, pretending to be that service account. This is a common use case for temporarily delegating access to Google Cloud resources.
Grant to your user (e.g. <code>$USER@google.com</code>) the <code>roles/iam.serviceAccountTokenCreator</code> role on the service account (referred below as <code>SA@PROJECT.iam.gserviceaccount.com</code>).
<pre class="language-shell"><code class="language-shell">gcloud iam service-accounts add-iam-policy-binding $SA@$PROJECT.iam.gserviceaccount.com \
--member="user:$EMAIL" --role="roles/iam.serviceAccountTokenCreator" --project $PROJECT
</code></pre>
Enable the IAM Service Account Credentials API:
<pre class="language-shell"><code class="language-shell">gcloud services enable iamcredentials.googleapis.com
</code></pre>
Verify the impersonation:
<pre class="language-shell"><code class="language-shell">gcloud auth --impersonate-service-account=$SA@$PROJECT.iam.gserviceaccount.com print-access-token
</code></pre>
The access token should be printed to <code>STDOUT</code> while <code>STDERR</code> will have a warning:
<pre><code>WARNING: This command is using service account impersonation. All API calls will be executed as [SA@PROJECT.iam.gserviceaccount.com].
</code></pre>
Call an API as the SA. Assuming that the service account has the Log Viewer role:
<pre class="language-shell"><code class="language-shell">curl -H "Authorization: Bearer $(gcloud auth --impersonate-service-account=$SA@$PROJECT.iam.gserviceaccount.com print-access-token)" \
-H "Content-Type: application/json" https://logging.googleapis.com/v2/projects/$PROJECT/logs
</code></pre>

GCP - Service Account Impersonation