grant permission to a group / user
resource "google_service_account_iam_member" "allow_us_to_impersonate" {
service_account_id = google_service_account.service_account.id
role = "roles/iam.serviceAccountTokenCreator"
member = "group:GOOGLE_GROUP_EMAIL"
}
run terraform as a service account
# run as service account
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT="SERVICE_ACCOUNT_EMAIL"
# stop running as service account
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=""