This is described internally at go/adc-impersonation

Basically it requires extending the parsing of the ADC configuration file (if it exists) to support a new type: impersonated_service_account. This new type supports the following JSON format:

• "service_account_impersonation_url": string, the URL to use for the impersonation workflow.
  • Example: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
• "delegates": array of string. The list of delegates to use in the impersonation workflow.
  • Example: ["[email protected]", "[email protected]" ]
• "source_credentials": object the base credentials to authenticate with.
• "type": string the value "impersonated_service_account"

Recall that we already implement this form of impersonation for external accounts, so there is existing code to reuse.

For details on the impersonation workflow, see:

https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken