Assigned
Status Update
No update yet.
Comments
ka...@google.com
ka...@google.com
Hello,
Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.
Description
Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.
What you would like to accomplish:
IAM needs to support service account names within IAM conditions. This would allow limiting the iam.serviceAccounts.getAccessToken permission to specific service accounts, providing the desired granularity without introducing condition mismatches.
Currently, there is no workaround within PAM to achieve this level of restriction.
How this might work:
Short-term workaround:
Grant broader access with PAM (without conditions) and implement additional security controls outside of PAM.
Consider alternative approaches that don't rely solely on service account impersonation with PAM for this use case.
Long-term solution:
Track the progress of the IAM feature request that aims to enable service account-based conditions. This would allow you to restrict iam.serviceAccounts.getAccessToken based on the target service account, effectively controlling which Cloud SQL instances a user can access when impersonating.
If applicable, reasons why alternative solutions are not sufficient:
Other information (workarounds you have tried, documentation consulted, etc): Currently, there is no workaround within PAM to achieve this level of restriction.