Error when use impersonate service account in GCP

[vtran42]

Hi,
I am using the following code to perform integration testing in GCP project.
describe google_project_service(project: 'chef-gcp-inspec', name: 'aiplatform.googleapis.com') do
it { should exist }
its('state') { should cmp "ENABLED" }
end

This code is working fine with the service account with the its key. However, when I use the same code for impersonate service account. It was failed with the error:
Profile: GCP InSpec Profile (inspec-image)
Version: 0.1.0
Target: gcp://SA1

× google-project-service-1.0: Ensure that the Vertex API has been enabled correctly
× Control Source Code Error ./controls/vertexai_dataset.rb:64
Bad response: #Net::HTTPForbidden:0x0000000008e0d460

The GCP IAM ENV is setting as follow:

• SA1 has a key
• SA2 is impersonating from SA1

I tried to look around for the resolve but no luck.
Please let me know if I am missing something.
Thanks

[rbclark]

It may help if you provide some more information about how you are instructing InSpec to impersonate the service account. InSpec just leverages https://github.com/googleapis/google-auth-library-ruby to handle authentication with Google Cloud, so if that library doesn't support it then by extension InSpec wouldn't do it out of the box. This also seems very relevant: googleapis/google-auth-library-ruby#353

[vtran42]

Thanks @rbclark for your information. Yes, I tried to use the google-auth-library-ruby to handle authentication before I raised the issue.
Yes, it is related to the issue #353