DEVHIDE
Login Or Sign up

How can i limit an user account to impersonate only some target service accounts?

196 Views Asked by At

I have an user account that want to impersonate some service accounts at same project. I know I can assign Service Account Token Creator role to this user account to enable impersonate.

But the problem is that the user account can impersonate any service accounts at same project. How can I limit an user account that can only impersonate only some target service accounts?

I also look up IAM condition but it seems that it doesn't support service account resource type.

google-cloud-iam
Original Q&A
1

There are 1 best solutions below

1
On BEST ANSWER

Modify the IAM policy bindings for the service account instead of the project.

Service accounts are also resources that can have their own allow policies. As a result, you can let other principals access a service account by granting them a role on the service account, or on one of the service account's parent resources. For example, to let a user impersonate a service account, you could grant the user the Service Account User role (roles/iam.serviceAccountUser) on the service account.

Review this link and this link.

Related Questions in GOOGLE-CLOUD-IAM

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.