问题
I have a service running in GCE with default service account A. This service uses gcloud to talk to various GCP services. Currently, it uses service account B to talk to some of the GCP services (using private key). However, we want to get rid of using private key and use account impersonation. To do that, I have added account A to the service account B's role and given token creator role.
I wrote a test program in go and was able to verify the impersonation works. However, our service is in PHP, and uses gcloud SDK. I couldn't find a way to configure gcloud to impersonate a service account or provide custom token.
One option is that I rewrite all the gcloud code to use google SDK, but that is lots of work, and I'd rather avoid that. My question is, how do I invoke gcloud using service account B in this scenario?. Is there a way to pass access token to gcloud or specify impersonation user?
回答1:
gcloud has a --impersonate-service-account flag for this.
回答2:
The Service Account User role is used to run operations as other service account. Using it you can act as a service account and run gcloud commands. The example shows how to use iam.serviceAccountUser role alongside with the compute.instanceAdmin role to create an instance.
来源:https://stackoverflow.com/questions/50921909/how-to-invoke-gcloud-with-service-account-impersonation