Gsutil: Is there a way to use service account impersonation with gsutil?

Created on 19 Jun 2019  路  3Comments  路  Source: GoogleCloudPlatform/gsutil

I'm digging into solidifying our IAM policies and recently learned that service accounts could be impersonated. This appears to be working great with gcloud via the --impersonate-service-account=NAME@PROJECT.iam.gserviceaccount.com, however, I have yet to figure out how to use gsutil with such impersonation.

From an API point of view, it appears that obtaining a short-lived impersonation access token is needed, and then that token is needed for requests. Even if I could obtain such a token out-of-band, it doesn't seem like it could be used with gsutil as is. Am I correct about that?

Assuming there isn't already a way to accomplish this task, is such a feature likely to be added? Thanks!

picture bboe
👍5

Most helpful comment

I'm happy to report support for service account impersonation was added with v4.44.

picture thomasmaclean on 4 Nov 2019
🎉3

All 3 comments

Yes, we use a composer service account to execute docker images in Kubernetes, but we'd like to operate on buckets using gsutil using a dedicated service account in those docker images. Don't understand why --impersonate-service-account isn't supported.

m1racoli picture m1racoli on 5 Jul 2019

I'm happy to report support for service account impersonation was added with v4.44.

thomasmaclean picture thomasmaclean on 4 Nov 2019
🎉3

Fantastic! Thank you.

bboe picture bboe on 4 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

davified picture davified  路  3Comments
kent-at-multiscale picture kent-at-multiscale  路  9Comments
zelon picture zelon  路  12Comments
ilyavaiser picture ilyavaiser  路  11Comments
djc picture djc  路  7Comments