google-cloud-cpp icon indicating copy to clipboard operation
google-cloud-cpp copied to clipboard
verified publisher icon googleapis

Implement ADC service account impersonation

Open coryan opened this issue 2 years ago • 3 comments

This is described internally at go/adc-impersonation

Basically it requires extending the parsing of the ADC configuration file (if it exists) to support a new type: impersonated_service_account. This new type supports the following JSON format:

  • "service_account_impersonation_url": string, the URL to use for the impersonation workflow.
    • Example: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
  • "delegates": array of string. The list of delegates to use in the impersonation workflow.
  • "source_credentials": object the base credentials to authenticate with.
  • "type": string the value "impersonated_service_account"

Recall that we already implement this form of impersonation for external accounts, so there is existing code to reuse.

For details on the impersonation workflow, see:

https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken

coryan avatar Aug 30 '23 13:08 coryan

Strike 1.

coryan avatar Feb 14 '24 20:02 coryan