doc: clarify which SA has Token Creator role (#330)

commit: 4086543259df721dbe8ff44c88c985f7674a6748 [log] [tgz]
author: Tianzi Cai <tianzih@outlook.com> Fri Mar 29 11:12:37 2019 -0700
committer: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> Fri Mar 29 11:12:37 2019 -0700
tree: 5140c2e42fe6ca2d83c79709544841ee32544333
parent: 908da752d01fef728bd5cb3eb5b13f2b5c335e51 [diff] [blame]
diff --git a/docs/user-guide.rst b/docs/user-guide.rst
index 7587917..6283662 100644
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst

@@ -209,8 +209,8 @@
 ++++++++++++++++++++++++
 
 Impersonated Credentials allows one set of credentials issued to a user or service account
-to impersonate another.  The target service account must grant the source credential
-the "Service Account Token Creator" IAM role::
+to impersonate another.  The source credentials must be granted 
+the "Service Account Token Creator" IAM role. ::
 
     from google.auth import impersonated_credentials
 
@@ -232,7 +232,7 @@
 
 In the example above `source_credentials` does not have direct access to list buckets
 in the target project.  Using `ImpersonatedCredentials` will allow the source_credentials
-to assume the identity of a target_principal that does have access
+to assume the identity of a target_principal that does have access.
 
 Making authenticated requests
 -----------------------------
commit	4086543259df721dbe8ff44c88c985f7674a6748	[log] [tgz]
author	Tianzi Cai <tianzih@outlook.com>	Fri Mar 29 11:12:37 2019 -0700
committer	Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>	Fri Mar 29 11:12:37 2019 -0700
tree	5140c2e42fe6ca2d83c79709544841ee32544333
parent	908da752d01fef728bd5cb3eb5b13f2b5c335e51 [diff] [blame]