analyzeServiceAccountImpersonation property
If true, the response will include access analysis from identities to resources via service account impersonation.
This is a very expensive operation, because many derived queries will be
executed. We highly recommend you use
AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the
request analyzes for which resources user A has permission P, and there's
an IAM policy states user A has iam.serviceAccounts.getAccessToken
permission to a service account SA, and there's another IAM policy states
service account SA has permission P to a Google Cloud folder F, then user
A potentially has access to the Google Cloud folder F. And those advanced
analysis results will be included in
AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another
example, if the request analyzes for who has permission P to a Google
Cloud folder F, and there's an IAM policy states user A has
iam.serviceAccounts.actAs permission to a service account SA, and there's
another IAM policy states service account SA has permission P to the
Google Cloud folder F, then user A potentially has access to the Google
Cloud folder F. And those advanced analysis results will be included in
AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the
following permissions are considered in this analysis: *
iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob *
iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken *
iam.serviceAccounts.getOpenIdToken *
iam.serviceAccounts.implicitDelegation Default is false.
Optional.
Implementation
core.bool? analyzeServiceAccountImpersonation;