Filed under gcp on November 28, 2023

So today I learned that by default GCP service accounts can’t impersonate themselves. I was trying to run a Github action at work, and one of the things in the script was a call to the credentials service to generate the correct token. I passed the bound github runner service account as the account to impersonate, and got back a 403 error. I ended up forking the action and just pulling it into our repo to short circuit the impersonation function.

Not a big deal, but an interesting thing nonetheless.

Stephen Gream

Written by Stephen Gream who lives and works in Melbourne, Australia. You should follow him on Minds