How can I allow a user to become an actor of a service account in Google Cloud Platform (GCP)?

Question

I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:

$ gcloud projects get-iam-policy myproject
bindings:
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/editor
- members:
  - user:me@myemail.com
  role: roles/owner
- members:
  - serviceAccount:bucket-viewer-service-account@myproject.iam.gserviceaccount.com
  role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1

I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:

$ gcloud iam service-accounts add-iam-policy-binding \
    bucket-viewer-service-account@myproject.iam.gserviceaccount.com \
    --member='user:test.gcp1@myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
  - user:user:test.gcp1@myemail.com
  role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=

Is that all I have to do so that the user test.gcp1@myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?

I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.

Answer 1

I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:

$ gcloud projects get-iam-policy myproject
bindings:
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/editor
- members:
  - user:me@myemail.com
  role: roles/owner
- members:
  - serviceAccount:bucket-viewer-service-account@myproject.iam.gserviceaccount.com
  role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1

I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:

$ gcloud iam service-accounts add-iam-policy-binding \
    bucket-viewer-service-account@myproject.iam.gserviceaccount.com \
    --member='user:test.gcp1@myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
  - user:user:test.gcp1@myemail.com
  role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=

Is that all I have to do so that the user test.gcp1@myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?

I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.

Answer 2

I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:

$ gcloud projects get-iam-policy myproject
bindings:
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/editor
- members:
  - user:me@myemail.com
  role: roles/owner
- members:
  - serviceAccount:bucket-viewer-service-account@myproject.iam.gserviceaccount.com
  role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1

I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:

$ gcloud iam service-accounts add-iam-policy-binding \
    bucket-viewer-service-account@myproject.iam.gserviceaccount.com \
    --member='user:test.gcp1@myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
  - user:user:test.gcp1@myemail.com
  role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=

Is that all I have to do so that the user test.gcp1@myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?

I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.

Answer 3

I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:

$ gcloud projects get-iam-policy myproject
bindings:
- members:
  - serviceAccount:123456789012-compute@developer.gserviceaccount.com
  role: roles/editor
- members:
  - user:me@myemail.com
  role: roles/owner
- members:
  - serviceAccount:bucket-viewer-service-account@myproject.iam.gserviceaccount.com
  role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1

I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:

$ gcloud iam service-accounts add-iam-policy-binding \
    bucket-viewer-service-account@myproject.iam.gserviceaccount.com \
    --member='user:test.gcp1@myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
  - user:user:test.gcp1@myemail.com
  role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=

Is that all I have to do so that the user test.gcp1@myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?

I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.

Answer 4

Apparently, the test.gcp1@myemail.com will not be able to get the privileges this way when you're running commands from your Terminal. A straightforward solution to this problem is to create and use Keys (similar to "Access Keys" in AWS). The following steps describe how you can achieve this:

1. Create "Keys" for your service account:

   gcloud iam service-accounts keys create KEY-FILE-NAME.json --iam-account=SA-NAME@PROJECT-ID.iam.gserviceaccount.com

2. Load the "Keys" in your terminal by adding the following environment variable (in.bashrc or equivalent file for your OS):

   export GOOGLE_APPLICATION_CREDENTIALS="/file-location/KEY-FILE-NAME.json"

3. Open a new terminal (or source your environment variable file) and execute CLI commands which will now be executed as your service account.

PS: Do note that the creation of "Keys" poses a considerable risk to the security of your cloud account. Ensure that the service account has minimum GCP Roles (ie privileges/policies) added and make sure to delete the keys when they are no longer required.