How to Impersonate a service Account to authenticate with google cloud
There are many ways to authenticate with GCP services. If you want to interact with any google cloud service and you are the project owner, it is super easy for you as most of the services will be accessible to you with minimal restriction. The real challenge comes when you want to onboard more people on the project and you want to secure the way user authenticates to GCP. There are many ways to do it. One would be giving the user access to all the services he wants, but this is the least used in method practice. This is because as number of users grow, it becomes very difficult to track and manage how many users are there and how many roles to provide. Let us explore service account impersonation which is the safest and easiest way to authenticate with GCP service especially when we are working in local or Dev environment.
What are Service Accounts?
In order to authenticate with any service on GCP, we can create a service account and give all the access to the service account to interact with the GCP service. This would be less hassle as we can create roles to perform tasks. When application has to interact, we can put the service account credentials in secure place in any non-dev or production environment using any secret managers available. However, we still need to work with the same service accounts in Dev environment or when application needs to run on the local.
The easiest way to authenticate in in Local/Dev environment
Supposedly, we create a service account to use Vertex AI platform and we want our users to submit Vertex AI pipeline to run on the platform. One way to do it would be creating a service account key and distribute it to all the developers to use in the local environment. Again, key handling is not a safe thing if it has to be handled by us manually. There are chances of losing/compromising key. In that scenario, we can simply let users impersonate the service account and let them act as service account.
How Service Account Impersonation Work
As per the google cloud doc, Any user or other service account can act as a service account in a certain way.
A user runs a gcloud CLI command with the --impersonate-service-account flag. This flag causes the gcloud CLI to create short-lived credentials for the service account, then run the command with those credentials. Let us create an example service account to access vertex AI platform and submit a pipeline to run.
Creating a Service Account
In this example, we will see how to set up a service account in order to let users impersonate it to use Vertex AI Platform.
Prerequisites:
- A valid google cloud project with billing enabled. Before proceeding, check if the following APIs are enabled in your project using.
gcloud services list --enabled
- verify that iamcredentials.googleapis.com is enabled. To enable:
gcloud services enable iamcredentials.googleapis.com
- Verify that cloudresourcemanager.googleapis.com is enabled. To enable:
gcloud services enable cloudresourcemanager.googleapis.com
Verify that the Compute Engine default service account has the role roles/iam.serviceAccountTokenCreator or better.
Setting up A New Service Account for Vertex AI
- Go to IAM -> Service Account -> Create
- Make sure the correct project_id is selected in the project dropdown. In my case, the project Id is vertexdemo.
- Enter the details as shown in below screenshot for service account details:
Grant access to users who will be impersonating this service account as shown below and done.
Verify User Account Permissions
- Got to IAM -> Permissions.
- Make sure the correct project_id is selected in the project dropdown. In my case, the project Id is vertexdemo.
- Look for the user which requires to impersonate the service account. Check and verify if the following permissions are there on the selected project. If the roles are not there, add the following roles for the user account.
Impersonate Service Account
In order to verify if that the user can access Vertex AI without explicitly providing the key, let us verify using service account impersonation.
- Assuming you are logged in to gcloud using the same user account and this account no direct access to Vertext AI. You have granted this user access to act as a service account user as in the above image.
- To verify if we are using the correct project, follow the below instructions. Select the correct project and the user account which has access to the service account.
gcloud init Once it is verified. Use the below command to impersonate the service account
cloud auth application-default login --impersonate-service-account=vertexsa@your_project_id.iam.gserviceaccount.comThe above command will impersonate the service account. You can view the output as result of the above command as:
Credentials saved to file: [/Users/your_user_account/.config/gcloud/application_default_credentials.json]. These credentials will be used by any library that requests Application Default Credentials (ADC).
Submitting a pipeline using the service account.
Assuming you have a pipeline code in main.py. When you hit the below command python main.py , you will see the result that the pipeline is submitted on the vertex AI and a link will be generated.
Hopefully, the above blog has helped you. Happy hacking!!
