Impersonation
Impersonation is when a user performs actions with cloud resources under a service account with appropriate access permissions. Impersonation is mostly used to temporarily expand user permissions without generating static credentials for the user.
For example, impersonation can help you out when the user has no permissions to view a folder, but needs to for a short while. The administrator may then assign the viewer role for the folder to the service account and the special iam.serviceAccounts.tokenCreator role to the user. This will allow the user to view the folder's resources under the service account or get the service account's IAM token. However, the user will not be able to edit permissions or delete the service account.
The administrator can revoke the iam.serviceAccounts.tokenCreator role from the user whenever needed. The user will then lose the ability to view the folder under the service account.