Home > other >  Go GCP Impersonate two service accounts at the same time
Go GCP Impersonate two service accounts at the same time

Time:06-22

I have two different GCP projects and am trying to clone a persistent disk from one project to the other. I have a service account in each project, and I need to create an impersonation token that will allow me to read the persistent disk from one project, and create a new persistent disk resource in the other project.

  • Project A -> Service Account A
  • Project B -> Service Account B

The problem is that impersonating one or the other service accounts to create the persistent disk does not work because a single API call needs to read the disk from Project A and create a new disk in Project B. In other words, I need to make an API call using a single impersonated token that has permissions to both. How can I do this with the Go API client?

Here is my impersonation code as it stands today

func Impersonate(ctx context.Context, principle string, credentials []byte) (*oauth2.Token, error) {​​​​
   source, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{​​​​
      TargetPrincipal: principle,
      Scopes:          []string{​​​​"https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/cloud-platform"}​​​​,
   }​​​​, option.WithCredentialsJSON(credentials))
   if err != nil {​​​​
      return nil, fmt.Errorf("creating impersonated token source: %w", err)
   }​​​​
   return source.Token()
}​​​​

CodePudding user response:

You can only impersonate one identity at a time. The correct method is to use a service account that has permissions in both projects.

Page link:https//www.codepudding.com/other/450216.html

Prev:Golang struct type conversion
Next:Golang SSH client error "unable to authenticate, attempted methods [none publickey], no support
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding