Hello folks, we are moving from a functioning project using the GCP Classic provider to the Google-Native provider. We are struggling to get impersonation working. We are using Go and the same style of configuration as for the classic provider:

gcp:impersonateServiceAccount: <mailto:res-admin@REDACTED-PROJECT.iam.gserviceaccount.com|res-admin@REDACTED-PROJECT.iam.gserviceaccount.com>
  google-native:impersonateServiceAccount: <mailto:res-admin@REDACTED-PROJECT.iam.gserviceaccount.com|res-admin@REDACTED-PROJECT.iam.gserviceaccount.com>

but it is unable to retrieve the access token:

error: Native: rpc error: code = Unknown desc = invocation of google-native:cloudresourcemanager/v3:getFolder returned an error: error sending request: impersonate: unable to generate access token: Post "https:// <http://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/res-admin@REDACTED-PROJECT.iam.gserviceaccount.com:generateAccessToken|iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/res-admin@REDACTED-PROJECT.iam.gserviceaccount.com:generateAccessToken>": context canceled

# debug log shows it's a reset but this is not a networking issue because it is repeatable (and works via gcloud)
... eventsink.go:86] eventSink::Error(<{%reset%}>

However, this works with the Classic provider and also using gcloud:

❯ gcloud resource-manager folders describe 163783803528 --impersonate-service-account=res-admin@REDACTED-PROJECT.iam.gserviceaccount.com

WARNING: This command is using service account impersonation. All API calls will be executed as [res-admin@REDACTED-PROJECT.iam.gserviceaccount.com].
WARNING: This command is using service account impersonation. All API calls will be executed as [res-admin@REDACTED-PROJECT.iam.gserviceaccount.com].
createTime: '2021-06-16T13:59:02.491Z'
...

Minimal Go code attached. Any ideas as to what's going wrong?

Could you please open an issue for that?

Yes of course, thanks Mikhail.