1 // Copyright 2021 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4 5 // Package impersonate is used to impersonate Google Credentials.
6 //
7 // # Required IAM roles
8 //
9 // In order to impersonate a service account the base service account must have
10 // the Service Account Token Creator role, roles/iam.serviceAccountTokenCreator,
11 // on the service account being impersonated. See
12 // https://cloud.google.com/iam/docs/understanding-service-accounts.
13 //
14 // Optionally, delegates can be used during impersonation if the base service
15 // account lacks the token creator role on the target. When using delegates,
16 // each service account must be granted roles/iam.serviceAccountTokenCreator
17 // on the next service account in the delgation chain.
18 //
19 // For example, if a base service account of SA1 is trying to impersonate target
20 // service account SA2 while using delegate service accounts DSA1 and DSA2,
21 // the following must be true:
22 //
23 // 1. Base service account SA1 has roles/iam.serviceAccountTokenCreator on
24 // DSA1.
25 // 2. DSA1 has roles/iam.serviceAccountTokenCreator on DSA2.
26 // 3. DSA2 has roles/iam.serviceAccountTokenCreator on target SA2.
27 //
28 // If the base credential is an authorized user and not a service account, or if
29 // the option WithQuotaProject is set, the target service account must have a
30 // role that grants the serviceusage.services.use permission such as
31 // roles/serviceusage.serviceUsageConsumer.
32 package impersonate
33