Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for GCP service account impersonation #550

Open
collado-mike opened this issue Dec 13, 2024 · 0 comments
Open

Support for GCP service account impersonation #550

collado-mike opened this issue Dec 13, 2024 · 0 comments
Labels
enhancement New feature or request
Milestone
1.0.0

Comments

@collado-mike
Copy link
Contributor

Is your feature request related to a problem? Please describe.

GCP supports service account impersonation, so that given credentials for a service account, it's possible to impersonate a different service account, given that the first is granted privileges to do so. The GcpStorageConfigurationInfo catalog configuration here actually has a gcpServiceAccount field that we never use when vending GCS storage credentials. We can use the code in https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#create-access to assume the target service account, then generate a short-lived token that has the target service account's privileges subscoped to the table location during the credential vending process.

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Additional context

No response
@collado-mike collado-mike added the enhancement New feature or request label Dec 13, 2024
@flyrain flyrain added this to the 1.0.0 milestone Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
2 participants
@flyrain @collado-mike