Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a way to use gsutil while impersonating a service account?

Tags:

google-cloud-platform

gsutil

I am in the process of attempting to adjust user permissions in Google Cloud and have created a service account that other users can impersonate to access various projects. The gcloud command has the --impersonate-service-account option to make API calls with the proper authentication, but I was wondering if anyone knows how to make such calls using gsutil.

Here's an example of what a successful call looks like using gcloud:

gcloud --impersonate-service-account=superuser@PROJECT1.iam.gserviceaccount.com iam service-accounts list --project PROJECT2
like image 534
bboe Avatar asked Jun 19 '19 00:06

bboe

People also ask

Can a service account impersonate a user?

For example, if a principal has the Service Account User role on a service account, and the service account has the Cloud SQL Admin role ( roles/cloudsql. admin ) on the project, then the principal can impersonate the service account to create a Cloud SQL instance.

Can you generate access keys for service accounts?

You can create a service account key using the console, the gcloud CLI, the serviceAccounts. keys. create() method, or one of the client libraries. A service account can have up to 10 keys.

How do I impersonate service account in GCP terraform?

Once you have a service account and the Service Account Token Creator role, you can impersonate service accounts in Terraform in two ways: set an environment variable to the service account's email or add an extra provider block in your Terraform code.

2 Answers

Yes, here's the option:

$ gsutil -i [SERVICE-ACCOUNT]@[PROJECT] [GSUTIL-COMMAND]

Example:

$ gsutil -i [email protected] ls
like image 51
Fer Avatar answered Sep 26 '22 12:09

Fer

There is no such option in the top-level gsutil command-line options (at least not a documented one).

By contrast the gcloud --impersonate-service-account is documented.

Things to try:

  • if you use the gsutil distributed with the gcloud SDK - it has some ability to use the credentials established by gcloud auth, see Configuring/Using Credentials Via Cloud Sdk Distribution Of Gsutil
  • if you use the standalone version, check the gsutil config command, which should allow specifying a service account credentials (see also Updating To The Latest Configuration File):

-e Prompt for service account credentials. This option requires that -a is not set.

like image 25
Dan Cornilescu Avatar answered Sep 28 '22 12:09

Dan Cornilescu
Sign in to Comment

Related questions

How do you create a TLS connection to a Cloud SQL database using Go?
How to read a huge CSV file from Google Cloud Storage line by line using Java?
How to Attach Custom GCP Role to a GCP Service Account Using Terraform
What is the equivalent of AWS Dead Letter Queue in Google Cloud Platform?
Google Cloud Storage giving ServiceUnavailable: 503 exception Backend Error
How can I deploy new service to the existing app in Google App Engine?
What happens when you have two Google Cloud projects with overlapping DNS zones?
GCP-Storage: do files appear before upload is complete
How to stop `gcloud component update` from keeping a backup?
Google Cloud Build - source-context.json SHA mismatch
When using 'gcloud run deploy', how can I specify the service name with command line args?
How to get a client ID for new Google project?
How to use gcsfuse allow_other option?
Public Google Cloud Pub/Sub Topics?
GCP Dataflow 2.0 PubSub to GCS
Detect Google Cloud Project Id from a container in Google hosted Kubernetes cluster
target pools vs backend services vs regional backend service difference?
Reduce memory usage in Google Cloud SQL
GCP: How to get compute engine access token?
Why is there a DAG named 'airflow_monitoring' automatically generated in Cloud Composer?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!