Skip to main content

User Impersonation

User impersonation allows administrators to temporarily sign in to Pomerium as another user or group within an organization. The impersonating user is subject to the access and authorization policies of the impersonated user.

Why impersonate a user?

In certain circumstances, it's useful for an administrative user to impersonate another user, like:

  • Troubleshooting errors. If a user reports that they do not have access to a particular resource, you may want to impersonate that user in order to see what they see, to help diagnose any problems with the authorization policy.
  • Making changes for an absent user. If a user is out of office, you could impersonate them to make changes for them while they're away.
  • Testing policies, routes, or other settings. As an admin, you can build authorization polices and test them out as another user to preview what other users will see depending on the permissions you grant them.

How to impersonate a user

You can impersonate a user by using the Console GUI or creating a Service Account.

Impersonate a user in the Console

  1. In your Console, select the Logout icon
  2. Select Impersonate
  3. In the Session dropdown, select the user you want to impersonate
  4. Select Impersonate

When you're finished impersonating the user, select Unimpersonate.

Impersonate from the Console GUI

Impersonate a user with a Service Account

Create a service account:


Before you begin, confirm you are in the correct Namespace. A service account can only be used in the Namespace it was created in, including its children Namespaces.

  1. Go to Service Accounts
  2. Select Add Service Account
  3. Select User ID, enter an optional Description, and set the expiration time
  4. Save the Service Token JWT

Create a Service Account

Add the Service Account to a policy:

  1. Go to Policies > NEW POLICY
  2. In the Builder tab, select ADD ALLOW BLOCK
  3. In the Criteria field, select User
  4. In the Search Users field, select the Service Account

Add Service Account to a policy

Now, you can apply the policy to a route and access it using any of the following header schemes:

  • Authorization: Bearer Pomerium-${pomerium_jwt}
  • X-Pomerium-Authorization: ${pomerium_jwt}
  • Authorization: Pomerium ${pomerium_jwt}