Overview
This node allows impersonation of a Google Cloud Service Account (SA) to obtain an OAuth 2.0 access token. It is useful when you want to perform actions on Google Cloud resources with the permissions of a specific service account without directly using its credentials. Common scenarios include automation workflows that need temporary delegated access or cross-service authentication within Google Cloud projects.
For example, you might use this node to:
- Generate an access token for a service account to call Google Cloud APIs.
- Delegate limited permissions to a downstream process by impersonating a service account.
- Automate token generation in CI/CD pipelines or serverless functions.
Properties
| Name | Meaning |
|---|---|
| GCE Metadata Server URL | The URL of the Google Compute Engine metadata server to retrieve tokens (default: https://metadata.google.internal/). |
| Target Service Account Email | The email address of the service account to impersonate (e.g., service-account@project-id.iam.gserviceaccount.com). Required. |
| Scopes | Comma-separated list of OAuth 2.0 scopes for the access token (e.g., https://www.googleapis.com/auth/cloud-platform). Required. |
| Delegates | Optional comma-separated list of service account emails forming the delegation chain. |
| Token Lifetime | Desired lifetime duration of the access token, specified as a string like "300s" or "5m". |
Output
The node outputs JSON data containing the following fields:
accessToken: The generated OAuth 2.0 access token string for the impersonated service account.expireTime: The expiration time of the access token.targetServiceAccount: The email of the impersonated service account.scopes: The array of OAuth scopes granted to the token.lifetime: The requested lifetime duration of the token.
The output is structured as an array of JSON objects, one per input item processed.
Dependencies
- Requires access to the Google Compute Engine metadata server to obtain an initial token.
- Uses utility functions (from bundled dependencies) to parse scopes and delegates strings and to perform the actual service account impersonation via Google Cloud APIs.
- Requires network connectivity to Google Cloud endpoints.
- Needs appropriate permissions on the initial identity to impersonate the target service account.
- No explicit external API keys are configured inside the node; it relies on environment and metadata server authentication.
Troubleshooting
Common issues:
- Failure to connect to the metadata server URL (check network and environment).
- Invalid or missing target service account email.
- Insufficient permissions to impersonate the specified service account.
- Malformed scopes or delegates strings.
- Token lifetime exceeding allowed limits.
Error messages:
- Errors thrown during token retrieval or impersonation will be surfaced. If "Continue On Fail" is enabled, errors for individual items will be returned in the output JSON under an
errorfield. - To resolve permission errors, ensure the calling identity has the
roles/iam.serviceAccountTokenCreatorrole on the target service account. - Verify that the scopes are valid OAuth 2.0 scopes accepted by Google Cloud APIs.
- Errors thrown during token retrieval or impersonation will be surfaced. If "Continue On Fail" is enabled, errors for individual items will be returned in the output JSON under an