Service account keys provide long lived access. One often has to provide short term access to GCP resources. That's what Service account impersonation does.

Service account impersonation requires two service accounts - the one doing the impersonation (the caller Service Account) - and the one being impersonated (the principal Service Account). For the caller Service Account, the Token Creator Role is required.

From GCP docs

  1. In the Google Cloud console, go to the Service Accounts page.Go to Service Accounts
  2. Select a project.
  3. Click the email address of the privilege-bearing service account, PRIV_SA.
  4. Click the Permissions tab.
  5. Under Principals with access to this service account, click  Grant Access.
  6. Enter the email address of the caller service account, CALLER_SA.For example, [email protected].
  7. Select the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
  8. Click Save to grant the role to the service account.

What if a USER credential wants to impersonate a service account?

This follows  the same pattern as above  - you would simply have a caller user id instead of a service account.