You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -350,15 +350,15 @@ This allows the Proxy to act as a different service account, which can be useful
350
350
for granting access to resources that are not accessible to the default IAM principal.
351
351
352
352
To use service account impersonation, you must have the
353
-
`iam.serviceAccounts.getAccessToken` permission on the IAM principal. You can grant this permission by assigning the
353
+
`iam.serviceAccounts.getAccessToken` permission on the IAM principal impersonating another service account. You can grant this permission by assigning the
354
354
`roles/iam.serviceAccountTokenCreator` role to the IAM principal.
355
355
356
356
To impersonate a service account, use the `--impersonate-service-account` flag:
357
357
358
358
> [!NOTE]:
359
359
>
360
-
> The service account must have `Cloud SQL Instance User`, `Service Usage Consumer` and `Cloud SQL Client permissions`.
361
-
> The `roles/iam.serviceAccountTokenCreator` role is not required on the impersonated service account but on the IAM principal impersonating the service account.
360
+
> The impersonated service account must have the `Service Usage Consumer` and `Cloud SQL Client` permissions. Additionally, to use IAM Authenticated users, add the `Cloud SQL Instance User` permission.
361
+
362
362
363
363
```shell
364
364
# Starts a listener on localhost:5432 and impersonates the service account
0 commit comments