How can I impersonate a GCP service account for web console access?

Question

I want a feature similar to AWS's role switching. In AWS I can switch to a role in the AWS web console- impersonating a "service account" for accessing AWS via the website.

Gcloud has support for impersonating service accounts, but I cannot find examples for how to impersonate a service account for web console access.

There are some users which occasionally require access to production gcp projects. It's more convenient for them to use the web console then the cli sometimes. I don't want to give their user accounts direct access to production, I want to follow best practices and require elevation of privileges. I don't want to create new, additional, user accounts for them for production access either.

In Gcloud it's easy to impersonate a service account, but is this supported for web console access?

Answer 1

For Google Cloud, one technique that I implement is groups. Each group has a set of roles. When users require access to cloud resources, they go to a backend app to request access. The backend app attaches their identity to the required group for a period of time and automatically removes the identity.

This concept can be extended to allow the user to select additional IAM roles which the backend app adds to the project's IAM binding with automatic removal. Uses can also click an "I am done" button to have their elevated roles removed.

This does require development but is relatively minor to implement. Users now know that their elevated access is monitored/tracked and with good training only use it when actually required.

Answer 2

The service accounts can be impersonated to access the projects resources using gcloud CLI, but they can’t be used to access the resources of the project using the console because service accounts are strictly non-human accounts. They are intended for scenarios where your application needs to access resources or perform actions on its own.

If you want to provide access to your users to the web console, configure user accounts:

User accounts are managed as Google Accounts, and they represent a developer, administrator, or any other person who interacts with Google Cloud. They are intended for scenarios where your application needs to access resources on behalf of a human user.

When an application needs to access Google Cloud APIs on behalf of an end user, the application initiates an OAuth consent flow. After the user completes the flow, your application receives an access token that enables your application to call Google Cloud APIs on behalf of the user.

Here you can find guides about signing in users on the web, using identity platform.

And here you will find more information about using OAuth 2.0 to access Google APIs