Proposal: Add -impersonate-service-account flag

I'm aware this tool is now partially integrated into `gcloud run services proxy`, but I find it useful for accessing IAP-protected services without modifying the application.

## Proposal

Add a new `-impersonate-service-account` flag that uses [google.golang.org/api/impersonate](https://pkg.go.dev/google.golang.org/api/impersonate) to generate ID tokens with the correct audience.

This enables access to IAP-protected services with `gcloud auth application-default login`, without needing service account key files.

## Usage

```bash
cloud-run-proxy \
  -host "https://iap-protected-app.example.com" \
  -audience "SA_UNIQUE_ID" \
  -authorization-header "Authorization" \
  -impersonate-service-account "my-sa@my-project.iam.gserviceaccount.com"
```

The user needs `roles/iam.serviceAccountTokenCreator` on the target service account.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proposal: Add -impersonate-service-account flag #52

Proposal

Usage

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Proposal: Add -impersonate-service-account flag #52

Description

Proposal

Usage

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions