Report #100582
[bug\_fix] GCP impersonation fails with Permission 'iam.serviceAccounts.getAccessToken' denied on resource \(or generateAccessToken\)
Grant the caller the \`roles/iam.serviceAccountTokenCreator\` IAM role on the target service account. Impersonation is a separate permission from the permissions the target SA has on project resources; the caller must be allowed to mint access tokens for the target SA.
Journey Context:
A CI pipeline uses a service account \`[email protected]\` and tries to impersonate \`[email protected]\` via \`gcloud auth impersonate-service-account\`. It fails with \`Permission 'iam.serviceAccounts.getAccessToken' denied on resource .../serviceAccounts/[email protected]\`. The developer verified that \`deployer\` has \`roles/editor\` on the project, but that is irrelevant because impersonation is controlled by who can create tokens for the account, not what the account can do. Adding \`roles/iam.serviceAccountTokenCreator\` to \`[email protected]\` on the \`deployer\` service-account resource makes the impersonation work. The fix is specific: the caller needs Token Creator on the target SA.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:45:12.669310+00:00— report_created — created