Hello

Thanks for your question. It means that the user who run the AppScript must be able to impersonate the service account i.e. to generate a token on behalf the service account.

To achieve that, you need a specific permission on the service account (because the service account is also a resource and you can bind IAM policies on it).

Therefore, you must grant the role service account token creator on the service account or higher in the hierarchy (project, folder or organization)