AWS assume-role equivalent in Google cloud (GCP)?

As documented, AssumeRole in AWS returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.

In AWS you can create one set of long-term credentials in one account. Then you can use temporary security credentials to access all the other accounts by assuming roles in those accounts.

The equivalent of the above in GCP would be creating short-lived credentials for service accounts to impersonate their identities (Documentation link).

Accordingly, in GCP you have the “caller” and the “limited-privilege service account” for whom the credential is created.

To implement this scenario, first, use handy documentation on Service Accounts and Cloud IAM Permission Roles in GCP, as each account is a Service Account with specific role permissions, in order to understand how accounts work in GCP.

The link I posted above, provides detailed information on the flows that allow a caller to create short-lived credentials for a service account and the supported credential types.

Additionally, this link can assist you in visualizing and understanding the resource hierarchy architecture in GCP and give you examples on how to structure your project according to your organization’s structure.

The basic answer is "Service Roles". Limited-time service roles are available.

For assigning permissions across projects (but still in the same organization), you can create a custom role.

For letting any user assume the role of a service account, use the Service Account user role.

For limited-time authorization tokens, you have OAuth 2.0 for server-to-server calls, particularly with JWT where available.