Service Account Token Creator

GCP IAM — detalhes da role

Tier
Specialized
Categoria
IAM
Escopo
resource
Privilégios
3
Role IDroles/iam.serviceAccountTokenCreator

Esta é uma role privilegiada — concede capacidades de controle elevado. Aplique o princípio do menor privilégio e monitore atribuições via Cloud Audit Logs.

Specialized

Narrow-scope role for a specific action or use case

Descrição

Impersonate service accounts to create short-lived credentials and sign JWTs.

Privilégios / Capacidades(3)

Create access tokens for service accounts
Sign blobs and JWTs using service account keys
Impersonate service accounts

Permissions(7)

iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.get
iam.serviceAccounts.list

Role Definition (JSON)

{
  "name": "roles/iam.serviceAccountTokenCreator",
  "title": "Service Account Token Creator",
  "description": "Impersonate service accounts to create short-lived credentials and sign JWTs.",
  "stage": "GA",
  "includedPermissions": [
    "iam.serviceAccounts.getAccessToken",
    "iam.serviceAccounts.getOpenIdToken",
    "iam.serviceAccounts.signBlob",
    "iam.serviceAccounts.signJwt",
    "iam.serviceAccounts.implicitDelegation",
    "iam.serviceAccounts.get",