8000 Implement ADC service account impersonation · Issue #12497 · googleapis/google-cloud-cpp · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Implement ADC service account impersonation #12497
New issue
New issue
Open
Open
Implement ADC service account impersonation#12497
Labels
type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.
Milestone
 
Authentication: placeholder for advanced features
@coryan

Description

@coryan
coryan
opened on Aug 30, 2023

This is described internally at go/adc-impersonation

Basically it requires extending the parsing of the ADC configuration file (if it exists) to support a new type: impersonated_service_account. This new type supports the following JSON format:

  • "service_account_impersonation_url": string, the URL to use for the impersonation workflow.
    • Example: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa3@developer.gserviceaccount.com:generateAccessToken"
  • "delegates": array of string. The list of delegates to use in the impersonation workflow.
    • Example: ["sa1@developer.gserviceaccount.com", "sa2@developer.gserviceaccount.com" ]
  • "source_credentials": object the base credentials to authenticate with.
  • "type": string the value "impersonated_service_account"

Recall that we already implement this form of impersonation for external accounts, so there is existing code to reuse.

For details on the impersonation workflow, see:

https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0