Login/Register
Cannot impersonate GCP ServiceAccount even after granting "Service Account Token Creator" role
Asked Answered
Solved google-cloud-platformgcloudimpersonationservice-accountsgoogle-cloud-iam
H

1

5

I have 2 ServiceAccounts in my Google Cloud Platform (GCP) Project

  • owner
  • executor

The owner ServiceAccount has 1 project-wide role attached to it:

  • "Owner" - for the project

The executor ServiceAccount has ONLY 2 specific roles attached to it (as shown below):

  • "Service Account Token Creator" - on the Owner ServiceAccount
  • "Service Account User" - on the Owner ServiceAccount

enter image description here

Now, I have a JSON key file of the Executor ServiceAccount. I will be using that credential file to "impersonate" the Owner ServiceAccount. And then I will run gcloud commands.

Here is what i am doing.

#!/bin/bash

# --------------------------------------------------------------

export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/my-executor-sa-key.json"
echo $GOOGLE_APPLICATION_CREDENTIALS
cat $GOOGLE_APPLICATION_CREDENTIALS

OWNER_EMAIL="[email protected]"
echo $OWNER_EMAIL

# --------------------------------------------------------------

CLUSTER="my-k8s-cluster"
ZONE="asia-east1-a"
PROJECT="my-gcp-project"

MY_COMMAND="gcloud container clusters get-credentials ${CLUSTER} --zone ${ZONE} --project ${PROJECT} --impersonate-service-account=${OWNER_EMAIL}"
echo $MY_COMMAND

# --------------------------------------------------------------

`$MY_COMMAND`

# --------------------------------------------------------------

Upon running the above, here is the output I am getting


# --------------------------------------------------------------

/Users/rakib/tmp/my-executor-sa-key.json
{
  "type": "service_account",
  "project_id": "my-gcp-project",
  "private_key_id": "3208--------------------------------5d63",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEv\n----\nEAE9S\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "1099--------------5533",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/executor%40my-gcp-project.iam.gserviceaccount.com"
}

[email protected]

# --------------------------------------------------------------

gcloud container clusters get-credentials my-k8s-cluster --zone asia-east1-a --project my-gcp-project --impersonate-service-account=owner@my-gcp-project.iam.gserviceaccount.com

# --------------------------------------------------------------

WARNING: This command is using service account impersonation. All API calls will be executed as [[email protected]].
ERROR: (gcloud.container.clusters.get-credentials) Failed to impersonate [[email protected]]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.

What am I missing here? I have indeed granted the Executor ServiceAccount with roles/iam.serviceAccountTokenCreator role on the Owner ServiceAccount.

Why can't it impersonate then?

Hailee answered 21/12, 2020 at 13:50 Comment(10)
Did you followed this? cloud.google.com/iam/docs/…Demoralize
Did you grant the role on the owner service account itself (treating the account as a resource)? Or did you apply the permission to the project? I think you did the latter and you need to do for the former. Will grab you a command to test|doLarimer
No, ignore that... It appears you can grant the role at the project level: cloud.google.com/iam/docs/service-accounts#user-roleLarimer
Just curious - if you do a "gcloud auth list" on the command list, is the owner account listed as the active account, or is your personal login listed as the active account? I'm wondering if your personal account is trumping your executor's SA auth and if you don't have those roles, that might explain the error.Yusuk
That's what i just found out @ingernet. Turns out, i needed to add the gcloud auth activate-service-account --key-file=$PATH_TO_EXECUTOR_SA_JSON command. All along I knew that having the executor SA in $GOOGLE_APPLICATION_CREDENTIALS would suffice. Everywhere i read i see that ADC uses $GOOGLE_APPLICATION_CREDENTIALS - cloud.google.com/docs/authentication/production#automatically. Doesn't gcloud use ADC then?Hailee
No, gcloud does not use ADC.Larimer
Hi @DazWilkin. I am glad to have confirmed this. However, does GCP have any docs or anything anywhere that says that this ADC applies only to their client-libraries and not to their gcloud CLI? Would love to see something officially disclosed by them about this. I couldn't find any.Hailee
Not that I'm aware. Cloud SDK uses explicit auth (gcloud auth) and primarily 3-legged OAuth for human accounts. The ability to auth as service accounts was added subsequently and to facilitate testing. ADCs is intended primarily to simplify auth on cloud-deployed code and, the off-cloud mechanism is to aid testing. It's reasonable to want there to be consistency but the approaches are quite different.Larimer
You could file feedback on Google's Issue Tracker and request the docs be clarifiedLarimer
Thanks for the suggestion @DazWilkin. Tried to raise the request in this google issue tracker - issuetracker.google.com/issues/176175067Hailee
H
6

Turns out, I needed to add the gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS command (more details here). Setting the $GOOGLE_APPLICATION_CREDENTIALS environment variable alone was not enough for the gcloud CLI tool.

All along, I knew that having the ServiceAccount path in $GOOGLE_APPLICATION_CREDENTIALS would suffice. Everywhere i read i see that ADC uses $GOOGLE_APPLICATION_CREDENTIALS for that:

However, turns out gcloud does not use ADC then. The ADC is used only by the client-libraries like C#, Java, Python, Go, Ruby etc.

I have filed a new case in google's issue-tracker for Google to help improve their documentation to avoid mixup / confusion.

Hailee answered 23/12, 2020 at 7:34 Comment(1)
Thanks, that solved it for me. Hopefully the documentation will be updated with more guidance on this.Dipeptide

© 2022 - 2024 — McMap. All rights reserved.