1 // Copyright 2021 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package impersonate is used to impersonate Google Credentials. 6 // 7 // # Required IAM roles 8 // 9 // In order to impersonate a service account the base service account must have 10 // the Service Account Token Creator role, roles/iam.serviceAccountTokenCreator, 11 // on the service account being impersonated. See 12 // https://cloud.google.com/iam/docs/understanding-service-accounts. 13 // 14 // Optionally, delegates can be used during impersonation if the base service 15 // account lacks the token creator role on the target. When using delegates, 16 // each service account must be granted roles/iam.serviceAccountTokenCreator 17 // on the next service account in the delgation chain. 18 // 19 // For example, if a base service account of SA1 is trying to impersonate target 20 // service account SA2 while using delegate service accounts DSA1 and DSA2, 21 // the following must be true: 22 // 23 // 1. Base service account SA1 has roles/iam.serviceAccountTokenCreator on 24 // DSA1. 25 // 2. DSA1 has roles/iam.serviceAccountTokenCreator on DSA2. 26 // 3. DSA2 has roles/iam.serviceAccountTokenCreator on target SA2. 27 // 28 // If the base credential is an authorized user and not a service account, or if 29 // the option WithQuotaProject is set, the target service account must have a 30 // role that grants the serviceusage.services.use permission such as 31 // roles/serviceusage.serviceUsageConsumer. 32 package impersonate 33