I want a feature similar to AWS's role switching. In AWS I can switch to a role in the AWS web console- impersonating a "service account" for accessing AWS via the website.
Gcloud has support for impersonating service accounts, but I cannot find examples for how to impersonate a service account for web console access.
There are some users which occasionally require access to production gcp projects. It's more convenient for them to use the web console then the cli sometimes. I don't want to give their user accounts direct access to production, I want to follow best practices and require elevation of privileges. I don't want to create new, additional, user accounts for them for production access either.
In Gcloud it's easy to impersonate a service account, but is this supported for web console access?
For Google Cloud, one technique that I implement is groups. Each group has a set of roles. When users require access to cloud resources, they go to a backend app to request access. The backend app attaches their identity to the required group for a period of time and automatically removes the identity.
This concept can be extended to allow the user to select additional IAM roles which the backend app adds to the project's IAM binding with automatic removal. Uses can also click an "I am done" button to have their elevated roles removed.
This does require development but is relatively minor to implement. Users now know that their elevated access is monitored/tracked and with good training only use it when actually required.