how can I get my gcloud user creds into a container securely and use them to impersonate a service account when testing locally?

Question

Starting with this:

• users have their own google user accounts that are setup locally via gcloud login
• the application is using the gcp APIs in the usual way- by default it will look for GOOGLE_APPLICATION_CREDENTIALS, GCE roles, service accounts, or use the local users gcloud configured credentials
• when users run it locally it will use their own user account, when run in gcp it will use a service account
• The user's account also has access to impersonate the service account. So when running the app locally users first do gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL] and it can be run with the same creds as what will run in the dev environment- without them having to download any keys

Now that works. BUT I also want to make it possible to run the applications locally in containers too. Using docker/docker-compose/minikube/etc how can I make it possible to impersonate a service account?

the container would need access to the gcloud creds and it would need to set impersonation in the session too before the app starts somehow. This must not be done in code- the app should just use the APIs as normal without having to do anything differently.

EDIT: when applications run in dev or prod GCP accounts/projects they run in the context of a service account that has correctly scoped permissions for that specific application. Developer's own user accounts have broad permissions to the dev environment. When running locally its useful to run with the same service account that application runs with in the dev environment instead of the developer's own user account

Answer 1

The correct way to achieve this is the Secret Manager that is supplied by Google Cloud.

• Activate Secret Manager API in your Google Cloud account.
• Create Secret data and relevant payload either using GC UI or sdk.
• Use the following function in your settings.py with your Project ID.
• Give permissions for your service account to access Secrets (If it does not already have access)
• Use the Secret Manager to access the payloads in your code without explicitly exposing the payload.

 def access_secret_version(secret_id): """ Access the payload for the given secret version if one exists. The version can be a version number as a string (eg "5") or an alias (eg "latest"). """ project_id = PROJECT_ID version_id = 1 # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the secret version. name = client.secret_version_path(project_id, secret_id, version_id) # Access the secret version. response = client.access_secret_version(name) # Print the secret payload. # # WARNING: Do not print the secret in a production environment - this # snippet is showing how to access the secret material. payload = response.payload.data.decode('UTF-8') # logging.info('Plaintext: {}'.format(payload)) logging.info('Secret accessed for:' + secret_id) return payload

Answer 2

This what I wanted

GSA_TOKEN=$(gcloud auth print-access-token --impersonate-service-account mygsa)
docker run --env GOOGLE_APPLICATION_CREDENTIALS=$GSA_TOKEN my-image