Service account impersonation

plugins/doc_fragments/gcp.py

@@ -21,7 +21,7 @@ class ModuleDocFragment(object):
             - The type of credential used.
         type: str
         required: true
-        choices: [ application, machineaccount, serviceaccount ]
+        choices: [ application, machineaccount, serviceaccount, impersonation ]
     service_account_contents:
         description:
             - The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it.

plugins/inventory/gcp_compute.py

@@ -57,7 +57,7 @@
             description:
                 - The type of credential used.
             required: True
-            choices: ['application', 'serviceaccount', 'machineaccount', 'accesstoken']
+            choices: ['application', 'serviceaccount', 'machineaccount', 'accesstoken', 'impersonation']
             env:
                 - name: GCP_AUTH_KIND
         scopes:
@@ -84,6 +84,7 @@
             description:
                 - An optional service account email address if machineaccount is selected
                   and the user does not wish to use the default email.
+                - Required service account to impersonate if impersonation is selected.
             env:
                 - name: GCP_SERVICE_ACCOUNT_EMAIL
         access_token:

plugins/module_utils/gcp_utils.py

@@ -17,6 +17,7 @@
 try:
     import google.auth
     import google.auth.compute_engine
+    import google.auth.impersonated_credentials
     from google.oauth2 import service_account, credentials as oauth2
     from google.auth.transport.requests import AuthorizedSession
     HAS_GOOGLE_LIBRARIES = True
@@ -200,9 +201,9 @@ def _validate(self):
         if not HAS_GOOGLE_LIBRARIES:
             self.module.fail_json(msg="Please install the google-auth library")
 
-        if self.module.params.get('service_account_email') is not None and self.module.params['auth_kind'] != 'machineaccount':
+        if self.module.params.get('service_account_email') is not None and not self.module.params['auth_kind'] in ['machineaccount','impersonation']:
             self.module.fail_json(
-                msg="Service Account Email only works with Machine Account-based authentication"
+                msg="Service Account Email only works with Impersonation and Machine Account-based authentication"
             )
 
         if (self.module.params.get('service_account_file') is not None or
@@ -260,6 +261,20 @@ def _credentials(self):
                     msg='An access token must be supplied when auth_kind is accesstoken'
                 )
             return oauth2.Credentials(access_token, scopes=self.module.params['scopes'])
+
+        if cred_type == 'impersonation':
+            service_account_email = self.module.params.get('service_account_email')
+            if service_account_email is None:
+                self.module.fail_json(
+                        msg='Service Account impersonation authentication requires setting service_account_email'
+                )
+            source_credentials, _ = google.auth.default()
+            return google.auth.impersonated_credentials.Credentials(
+                source_credentials=source_credentials,
+                target_principal=self.module.params['service_account_email'],
+                target_scopes=self.module.params['scopes'],
+                lifetime=3600,
+                )
 
         self.module.fail_json(msg="Credential type '%s' not implemented" % cred_type)
 
@@ -291,7 +306,7 @@ def __init__(self, *args, **kwargs):
                 auth_kind=dict(
                     required=True,
                     fallback=(env_fallback, ['GCP_AUTH_KIND']),
-                    choices=['machineaccount', 'serviceaccount', 'accesstoken', 'application'],
+                    choices=['machineaccount', 'serviceaccount', 'accesstoken', 'application', 'impersonation'],
                     type='str'),
                 service_account_email=dict(
                     required=False,

plugins/modules/gcp_appengine_firewall_rule.py

@@ -88,6 +88,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -101,6 +102,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_appengine_firewall_rule_info.py

@@ -53,6 +53,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -66,6 +67,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_bigquery_dataset.py

@@ -225,6 +225,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -238,6 +239,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_bigquery_dataset_info.py

@@ -53,6 +53,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -66,6 +67,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_bigquery_table.py

@@ -476,6 +476,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -489,6 +490,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_bigquery_table_info.py

@@ -71,6 +71,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_bigtable_instance.py

@@ -118,6 +118,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -131,6 +132,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_bigtable_instance_info.py

@@ -53,6 +53,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -66,6 +67,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudbuild_trigger.py

@@ -728,6 +728,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -741,6 +742,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudbuild_trigger_info.py

@@ -53,6 +53,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -66,6 +67,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudfunctions_cloud_function.py

@@ -175,6 +175,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -188,6 +189,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudfunctions_cloud_function_info.py

@@ -58,6 +58,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -71,6 +72,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudscheduler_job.py

@@ -311,6 +311,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -324,6 +325,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudscheduler_job_info.py

@@ -58,6 +58,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -71,6 +72,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudtasks_queue.py

@@ -189,6 +189,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -202,6 +203,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_cloudtasks_queue_info.py

@@ -58,6 +58,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -71,6 +72,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_compute_address.py

@@ -154,6 +154,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -167,6 +168,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_compute_address_info.py

@@ -66,6 +66,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -79,6 +80,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_compute_autoscaler.py

@@ -261,6 +261,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -274,6 +275,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description:

plugins/modules/gcp_compute_autoscaler_info.py

@@ -65,6 +65,7 @@
     - machineaccount
     - serviceaccount
     - accesstoken
+    - impersonation
   service_account_contents:
     description:
     - The contents of a Service Account JSON file, either in a dictionary or as a
@@ -78,6 +79,7 @@
     description:
     - An optional service account email address if machineaccount is selected and
       the user does not wish to use the default email.
+    - Required service account to impersonate if impersonation is selected.
     type: str
   access_token:
     description: