Unable to impersonate service account to execute tests

[abharku]

we use service-account impersonation to execute everything through our pipelines but I couldn't find a way to do this with chef-inspec

Describe the problem

I have tried following with a containerized inspec:

function inspec { docker run -it -e GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token [email protected]) --rm -v $(pwd):/share 6bf4cff907b6 "$@"; }

If I pass the same SA's key file in GOOGLE_APPLICATION_CREDENTIALS it works

I do get the warning when I use first command that SA impersonation will be used but get output like below:

WARNING: This command is using service account impersonation. All API calls will be executed as [[email protected]].

Profile: GCP InSpec Profile (policy-monitor)
Version: 0.1.0
Target: gcp://default

 No tests executed.

Profile: Google Cloud Platform Resource Pack (inspec-gcp)
Version: 1.8.8
Target: gcp://default

 No tests executed.

Test Summary: 0 successful, 0 failures, 0 skipped

I am trying to execute tests like below which works if have GOOGLE_APPLICATION_CREDENTIALS :

inspec exec . -t gcp:// --input-file=inputs.yml --chef-license=accept-silent --insecure --no-ssl --self-signed

[cleibl]

I'm running into the same issue. Were you ever able to solve it? I've tried every which way of env vars, tokens, etc and can still not get it to work.

[amitkumardube]

I have the same issue. gcp-inspec simply seems to be ignoring this env variable in GitHub workflow.
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT: project-service-account@..**.iam.gserviceaccount.com

Any idea about how to use service account impersonation with gcp inspec resources.