kubectl "cannot impersonate" - Fix --as Impersonation RBAC in CI
kubectl --as/--as-group impersonates another identity, and impersonation is itself an RBAC-gated action. The calling identity lacks the impersonate verb on users/groups/serviceaccounts, so the API server forbids the request.
What this error means
A command using --as fails with Error from server (Forbidden): users "<id>" is forbidden: User "<caller>" cannot impersonate resource "users" in API group "". Without --as the same caller works - the denial is specifically about impersonating.
Error from server (Forbidden): users "system:serviceaccount:ci:deployer" is
forbidden: User "ci-runner" cannot impersonate resource "users" in API group ""
at the cluster scopeCommon causes
Caller lacks the impersonate verb
No ClusterRole grants the caller impersonate on users/groups/serviceaccounts. Impersonation is privileged and denied by default.
Impersonating a target the grant does not cover
A grant may allow impersonating specific users/groups via resourceNames; --as a different target outside that list is still forbidden.
How to fix it
Decide whether impersonation is actually needed
Often --as was for a permission check; prefer auth can-i ... --as which the API allows, or drop --as and act as the real identity.
kubectl auth can-i create deploy -n prod --as=system:serviceaccount:ci:deployerGrant impersonate deliberately (least privilege)
If the caller must impersonate, grant the impersonate verb, scoped to the specific identities.
kubectl create clusterrole impersonator \
--verb=impersonate --resource=serviceaccounts
kubectl create clusterrolebinding ci-impersonator \
--clusterrole=impersonator --user=ci-runnerHow to prevent it
- Avoid
--asin pipelines unless you specifically need impersonation. - When required, grant
impersonatescoped to named identities only. - Use
auth can-i --asfor permission preflights instead of acting as another user.