A service account can be impersonated using the CLI in two ways:
gcloud auth application-default login ...gcloud ... --impersonate-service-account <service-account-email>In both cases, your current role must have the “Service Account Token Creator” role.