Merge pull request #626 from alphagov/impersonated_service_account

hannako · web-flow · commit bb68b581dd91 · 2026-03-17T11:47:10.000Z
Allow service account impersonation for local development
diff --git a/Gemfile b/Gemfile
@@ -30,6 +30,7 @@ end
 
 group :development, :test do
   gem "brakeman", require: false
+  gem "googleauth", ">= 1.16.0"
   gem "govuk_test"
   gem "pry-byebug"
   gem "rspec-rails"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -124,7 +124,7 @@ GEM
       grpc (~> 1.41)
     googleapis-common-protos-types (1.22.0)
       google-protobuf (~> 4.26)
-    googleauth (1.15.1)
+    googleauth (1.16.2)
       faraday (>= 1.0, < 3.a)
       google-cloud-env (~> 2.2)
       google-logging-utils (~> 0.1)
@@ -581,6 +581,7 @@ DEPENDENCIES
   connection_pool
   csv
   google-cloud-discovery_engine
+  googleauth (>= 1.16.0)
   govuk_app_config
   govuk_message_queue_consumer
   govuk_test
diff --git a/README.md b/README.md
@@ -26,8 +26,17 @@ make search-api-v2
 
 ### Running search-api-v2
 
+#### Prerequisites
+
+1. You must be a member of the integration gcp access google group: govuk-gcp-access-integration@digital.cabinet-office.gov.uk
+2. You will need the email address of the custom search-api-v2 integration service account. This is the service account used by Search API v2 running in integration to authenticate its requests to Google Vertex AI Search.
+
+The email address can be found under *IAM and admin > Service Accounts* in the __Search API V2 Integration__ project at https://console.cloud.google.com.
+
+Note: There are two similarly named service accounts. Make sure to select the account used to provide access to the search-api-v2 Rails app and document sync worker.
+
 ```bash
-gcloud auth application-default login
+gcloud auth application-default login --impersonate-service-account <search-api-v2 service account email address>
 govuk-docker up -d search-api-v2-app
 ```
 
diff --git a/config/initializers/impersonated_service_account_credentials.rb b/config/initializers/impersonated_service_account_credentials.rb
@@ -0,0 +1,13 @@
+# This is a monkey patch to allow us to use impersonated service account credentials for local development with govuk-docker
+# https://github.com/googleapis/google-auth-library-ruby/issues/563
+module Google
+  module Auth
+    class ImpersonatedServiceAccountCredentials
+    private
+
+      def prepare_auth_header
+        @source_credentials.updater_proc.call({})
+      end
+    end
+  end
+end
