run terraform as a service account

grant permission to a group / user

resource "google_service_account_iam_member" "allow_us_to_impersonate" {
service_account_id = google_service_account.service_account.id
role = "roles/iam.serviceAccountTokenCreator"
member = "group:GOOGLE_GROUP_EMAIL"
}

run terraform as a service account

# run as service account
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT="SERVICE_ACCOUNT_EMAIL"


# stop running as service account
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=""