Can we use the Service Account Key to impersonate a Service Account?
Thanks in advance!
“Yes we can use the Service Account Key to impersonate a Service Account”
To use the Service Account key to impersonate a Service Account. Each service account is associated with a public/private RSA key pair. The Service Account Credentials API uses this internal key pair to create short-lived service account credentials, and to sign blobs and JSON Web Tokens (JWTs). This key pair is known as the Google-managed key pair. Follow the documentation on Service Account
For more information on Service Accounts:
For the gcloud invocation, all API requests will be made as the given service account or target service account in an implementation delegation chain instead of the currently selected service account. You can specify either a single service account as the impersonator, or a comma-separated list of service accounts to create an impersonation delegation chain. The Impersonation is done without needing to create ,download and activate a key for the service account or accounts.
In order to make API requests as a service account, your currently selected account must have an IAM role which includes the IAM Service Accounts.gerAccessToken permission for the service account or accounts. Refer the ImpersonateServiceAccount
The details description and usage Service account
Related
I created a service account mycustomsa#myproject.iam.gserviceaccount.com.
Following the GCP best practices, I would like to use it in order to run a GCE VM named instance-1 (not yet created).
This VM has to be able to write logs and metrics for Stackdriver.
I identified:
roles/monitoring.metricWriter
roles/logging.logWriter
However:
Do you advise any additional role I should use? (i.e. instance admin)
How should I setup the IAM policy binding at project level to restrict the usage of this service account just for GCE and instance-1?
For writing logs and metrics on Stackdriver those roles are appropriate, you need to define what kind of activities the instance will be doing. However as John pointed in his comment, using a conditional role binding 1 might be useful as they can be added to new or existing IAM policies to further control access to Google Cloud resources.
As for the best practices on SA, I would recommend to make the SA as secure as possible with the following:
-Specify who can act as service accounts. Users who are Service Account Users for a service account can indirectly access all the resources the service account has access to. Therefore, be cautious when granting the serviceAccountUser role to a user.
-Grant the service account only the minimum set of permissions required to achieve their goal. Learn about granting roles to all types of members, including service accounts.
-Create service accounts for each service with only the permissions required for that service.
-Use the display name of a service account to keep track of the service accounts. When you create a service account, populate its display name with the purpose of the service account.
-Define a naming convention for your service accounts.
-Implement processes to automate the rotation of user-managed service account keys.
-Take advantage of the IAM service account API to implement key rotation.
-Audit service accounts and keys using either the serviceAccount.keys.list() method or the Logs Viewer page in the console.
-Do not delete service accounts that are in use by running instances on App Engine or Compute Engine unless you want those applications to lose access to the service account.
Consider this scenario:
I have two domains: domain1.net and domain2.net.
I have GCP enabled on domain1.net and created a Service Account here that has Domain-Wide Delegation Enabled.
The CLIENT ID from this Service Account is configured on domain1.net GSuite Admin Console as domain wide delegation and has the following OAuth2 scopes enabled:
SCOPES = [
'https://www.googleapis.com/auth/admin.directory.group',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly',
]
I have a Cloud Function that uses the Service Account's rights to create a OAuth2 JWT, to be able to access GSuite domain1.net APIs. Code Sample Here.
The user to impersonate in GSuite has Group Admin Roles to be able to create GSuite Groups.
All this configuration works perfectly, I am able to create Groups in domain1.net using a Cloud Funtion in domain1.net GCP env.
But if I use the same Service Account CLIENT ID in domain2.net give the same OAuth2 Scopes, create an user with Group Admin Roles and use this user to create new groups, it doesn't work.
Error:
error got with oauth2client==4.1.3
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
error got with google.oauth2:
googleapiclient.errors.HttpError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
Now the above error code: unauthorized_client found in this documentation specifies that the CLIENT ID is incorrect and I've might have used the Service Account's email, which I did not.
Is Domain-Wide Delegation cross GSuite organization(different domain) capable?
I know that it works in any sub-domain of domain1.net but not in any other GSuite organization(different domain like domain2.net).
I have good news for you (This won't answer your question but will solve your problem)!
You won't need to impersonate an admin anymore to create groups. Google just last week announced that the Cloud Identity Groups API will now allow for Group Management via API w/o impersonating an admin.
Take a look at these update blogs:
https://gsuiteupdates.googleblog.com/2020/08/use-service-accounts-google-groups-without-domain-wide-delegation.html
https://gsuiteupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html
https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I can't help you with the actual question, tho; that's just not my territory.
A service account belongs to the application for which you created it. If this application belongs to domain1.net, the service account will be able to impersonate accounts from domain1.net, not from any other domain.
If you want a service account to impersonate users from domain2.net, create another service account on a GCP project that belongs to domain2.net.
Reference:
Using OAuth 2.0 for Server to Server Applications
I'd like to use Vault to store/retrieve secrets for different projects on Google Cloud. Vault itself is in its own gcp project. Can I use Vault to authenticate the service accounts of multiple different projects?
My attempt to do so is yielding an error on missing permission.
I've checked that the service account that Vault is using has the iam.serviceAccountKeys.get permission. The service account trying to be authenticated doesn't.
I'm guessing that the permission error is about trying to find check the service account key of a foreign project.
* could not find service account key 'projects/-/serviceAccounts/name#project.iam.gserviceaccount.com/keys/xxxxxxxxxxxx': googleapi:
Error 403: Permission iam.serviceAccountKeys.get is required to perform this operation on service account key projects/-/serviceAccounts/name#project.iam.gserviceaccount.com/keys/xxxxxxxxxxxxxxx., forbidden or could not find Google Oauth cert with given 'kid' id xxxxxxxxxxxxxxxxxxx: could not find public key with kid 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Does iam.serviceAccountKeys.get only allow authentication of ids within the project?
Yes, you need to make sure that bound_projects is either empty or includes the list of all projects for which you want to bind:
$ vault write auth/gcp/config /
bound_projects=p1,p2,p3...
You also need to make sure that the service account which is running Vault has the following roles:
roles/iam.serviceAccountKeyAdmin
roles/browser
You need to give the following roles to the service account which is authenticating to Vault:
roles/iam.serviceAccountTokenCreator
what's the equivalent of AWS account number in Google cloud ?
If the user adds 2 service accounts to a portal, how to validate if the service accounts belong to different accounts or a single account.
AFAIK in GCP there's no account ID.
By reading the AWS documentation looks like the concepts are slighty different in GCP and in AWS.
As I understand, you want to identify if a service account in GCP belongs to an account, the thing here is that service accounts in GCP do not belong to any account.
Quoting from the documentation:
One of the features of IAM service accounts is that you can treat it both as a resource and as an identity.
When treating the service account as an identity, you can grant a
role to a service account, enabling it to access a resource (such as
a project).
When treating a service account as a resource, you can grant permission to a user to access that service account. You can grant
the Owner, Editor, Viewer, or Service Account User role to a user to
access the service account.
Example of how service accounts work in GCP as an identity:
Let's say that I have 2 GCP projects where I am owner in both
projects:
projectA where I am owner with my email owner-of-project#gmail.com
projectB where I am owner with my email owner-of-project#gmail.com
I log into projectA with owner-of-project#gmail.com and from there I create a service account:
Service account name: service-account-project-A
Role of the service account (permissions): "Compute Engine Admin" (meaning that this service account will have only access to Compute Engine resources within projectA).
Service account ID: service-account-project-a#projectA.iam.gservice
I can choose to generate a private key for this service account
I can also choose to enable G Suite Domain-wide Delegation
Then I can log into projectB with owner-of-project#gmail.com.
Once there I can add the service account as a member of projectB so the Compute Engine resources within project A will be reachable from projectB.
What you can do is list all the service accounts that are added in a particular project in the Service Accounts section of GCP Console.
I'm attempting to give API Credentials access to a user via IAM. However, I'm unable to find an existing Predefined Product Role that encapsulates these permissions. The closest I can find is roles/
iam.serviceAccountTokenCreator under Service Account but that only allows me to grant access to:
Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).
I don't want to create a Service account, but simply another user account which can sign in and manage the OAuth credentials / access keys.
To be able to create an API Key, the IAM user must have the Editor role roles/editor on the project.
Reference:
Creating an API key
You now need the role roles/serviceusage.apiKeysAdmin, according to https://cloud.google.com/docs/authentication/api-keys#managing_api_keys