Report #79409
[bug\_fix] The caller does not have permission to impersonate the service account \(GCP Service Account Impersonation\)
Grant the calling identity \(user or service account\) the 'Service Account Token Creator' \(\`roles/iam.serviceAccountTokenCreator\`\) IAM role on the target service account being impersonated. The root cause is that GCP's impersonation API \(generateAccessToken\) requires explicit IAM permission on the service account resource itself; having project-level Owner or Editor does not implicitly grant token creation rights on specific service accounts as a security boundary.
Journey Context:
Developer is using \`gcloud\` with impersonation \(\`--impersonate-service-account\`\) or a custom application using the Google IAM Credentials API to generate short-lived tokens for a service account. The command fails with 'The caller does not have permission to impersonate the service account. Please ensure that the caller has the Service Account Token Creator role on the service account.' The developer checks their own IAM permissions and sees they have 'Editor' or 'Owner' on the project. They assume this should include impersonating service accounts. They check the service account's permissions and see only 'Editor' inherited from the project. They try adding 'Service Account Admin' but still get the error. They realize that impersonation specifically requires the 'Service Account Token Creator' role \(or the specific permission \`iam.serviceAccounts.getAccessToken\`\) granted directly on the service account resource, not just at the project level. They navigate to IAM > Service Accounts > \[target SA\] > Permissions and add their user email with the role 'Service Account Token Creator'. The impersonation command then succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T15:53:26.155350+00:00— report_created — created