This is frustrating because impersonation of a service account is much less flexible than AWS.
I want users of a Gsuite group to be able to impersonate ALL service accounts in a specific google project or project folder
But I'm only seeing example where you assign the serviceAccountTokenCreator role directly to the specific service account.
This is a pain to manage. If I have X number of service accounts in my dev gcp project I want to be able to just say "users in group X can impersonate all service accounts in project Y". Is this at all possible? Or do I need to create a binding for EVERY service account with a list of groups/users that can impersonate it.
To allow a member to impersonate all service accounts created in a project, folder, or organization, grant the necessary role on the project, folder, or organization. Reference: https://cloud.google.com/iam/docs/impersonating-service-accounts#impersonate-parent-level