Is there a way to use gsutil while impersonating a service account?

Asked 19/6, 2019 at 0:32 Answered 13/1, 2020 at 16:31

I am in the process of attempting to adjust user permissions in Google Cloud and have created a service account that other users can impersonate to access various projects. The gcloud command has the --impersonate-service-account option to make API calls with the proper authentication, but I was wondering if anyone knows how to make such calls using gsutil.

Here's an example of what a successful call looks like using gcloud:

gcloud --impersonate-service-account=superuser@PROJECT1.iam.gserviceaccount.com iam service-accounts list --project PROJECT2

Unobtrusive answered 19/6, 2019 at 0:32 Comment(0)

Yes, here's the option:

$ gsutil -i [SERVICE-ACCOUNT]@[PROJECT] [GSUTIL-COMMAND]

Example:

$ gsutil -i [email protected] ls

Guarneri answered 13/1, 2020 at 16:31 Comment(0)

There is no such option in the top-level gsutil command-line options (at least not a documented one).

By contrast the gcloud --impersonate-service-account is documented.

Things to try:

if you use the gsutil distributed with the gcloud SDK - it has some ability to use the credentials established by gcloud auth, see Configuring/Using Credentials Via Cloud Sdk Distribution Of Gsutil
if you use the standalone version, check the gsutil config command, which should allow specifying a service account credentials (see also Updating To The Latest Configuration File):

-e Prompt for service account credentials. This option requires that -a is not set.

Danilodanio answered 19/6, 2019 at 3:34 Comment(1)

I previously tried the things you suggested and have come to a similar conclusion that as of now, no such feature exists. I opened this issue on the gsutil github project: github.com/GoogleCloudPlatform/gsutil/issues/813 Thanks! – Unobtrusive 19/6, 2019 at 5:3

Recommended topics

Hot tags