search

google / oauth2l

oauth2l ("oauth tool") is a simple CLI for interacting with Google API authentication.
Apache License 2.0
651 stars 81 forks source link

Support Service Account Impersonation #91

Closed andyrzhao closed 3 years ago

andyrzhao commented 4 years ago

We would like to support service account impersonation, which allows users to exchange access tokens to act as service accounts.

The command may look like:

oauth2l fetch --scope cloud-platform --impersonated-service-account [SERVICE_ACCOUNT]

The command will return a short-term access token to act as the service account specified.

Implementation wise, this command will call the IAM generateAccessToken API method.

We should also consider supporting the reverse - "service account impersonating user account".

andyrzhao commented 4 years ago

Looks like there is a pre-requisite for running "add-iam-policy-binding" to bind user to service account, and gcloud is the only tool that can do that AFAIK":

gcloud iam service-accounts add-iam-policy-binding 113258942105700140798 --member="user:andyzhao@google.com" --role="roles/iam.serviceAccountTokenCreator" --project andyzhaotest

Afterwards, service account impersonation can be done through:

curl -H "Authorization: Bearer redacted" -X POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/113258942105700140798:generateAccessToken -d "scope=https://www.googleapis.com/auth/cloud-platform"

andyrzhao commented 3 years ago

Implemented via https://github.com/google/oauth2l/pull/108