final fix to make service account impersonation work with iap tunnels (#10054)

builder/googlecompute/builder.go

@@ -80,6 +80,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 			IAPConf:            &b.config.IAPConfig,
 			CommConf:           &b.config.Comm,
 			AccountFile:        b.config.AccountFile,
+			ImpersonateAccount: b.config.ImpersonateServiceAccount,
 			ProjectId:          b.config.ProjectId,
 		},
 		&communicator.StepConnect{

builder/googlecompute/step_start_tunnel.go

@@ -134,6 +134,7 @@ type StepStartTunnel struct {
 	IAPConf            *IAPConfig
 	CommConf           *communicator.Config
 	AccountFile        string
+	ImpersonateAccount string
 	ProjectId          string
 
 	tunnelDriver TunnelDriver
@@ -276,6 +277,10 @@ func (s *StepStartTunnel) Run(ctx context.Context, state multistep.StateBag) mul
 		"--zone", c.Zone, "--project", s.ProjectId,
 	}
 
+	if s.ImpersonateAccount != "" {
+		args = append(args, fmt.Sprintf("--impersonate-service-account='%s'", s.ImpersonateAccount))
+	}
+
 	// This is the port the IAP tunnel listens on, on localhost.
 	// TODO make setting LocalHostPort optional
 	err = ApplyIAPTunnel(s.CommConf, s.IAPConf.IAPLocalhostPort)