Impersonate the service account instead of managing a new key

Today I learned how I can impersonate the service account to access the resources/services in Google Cloud Platform without generating a new service account key and store it in my local machine for development purpose!

How we do it normally #

In order to access certain resource or service on the Google Cloud Platform, we normally go to the console, generate a new service account key and download it to our local machine. We'll pass the path to this service account key as an environment variable and it'll be consumed when we launch the service locally for development. It can be visualized as follows:

store service account key locally

There are several issues with this approach: #

How we can make it more secure #

To solve the issues mentioned above, we can make use of impersonating the service account. The idea is that instead of generating a new service account key and store it locally, you can generate a short lived token (normally for only 1 hour) and use it to pass the authentication/authorization.

As far as I know, there are two ways to do it:

export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token --impersonate-service-account=<sa-name>

The above can easily visualized as below:

generate a short lived token

With that being said, you don't bother managing another service acount key anymore 😙!

Reference #

🙏🙏🙏 Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated 💖! For feedback, please ping me on Twitter.