Support for Application Default Credentials with impersonated_service_account

[quulah]

Is your feature request related to a problem? Please describe.

I'm a bit unsure if this is a bug report, or a feature request.

In any case, for local testing of application code, we would like to impersonate the Service Account used for running the application on GCP.

It works when retrieving the ADC JSON with a user's own set of credentials, but not after adding --impersonate-service-account and then providing the application the JSON in either a well known location or via GOOGLE_APPLICATION_CREDENTIALS.

This results in "type": "impersonated_service_account":

$ gcloud --impersonate-service-account <service account> auth application-default login

Describe the solution you'd like

Applications using this library should be able to authenticate with the impersonated Service Account.

Describe alternatives you've considered

Currently, local testing just uses the user's own credentials. Which may or may not have the same privileges as the Service Account.

Additional context

• This library is in use via a GCS adapter in our case.
• I found a similar issue in the Golang oauth2 package, which led me to think that maybe this isn't just supported.
• Impersonation is mentioned in passing for V2.0

[bshaffer]

See #421 - we are working to get this added soon!

[judge2020]

#421 was merged in on Nov 28, 2022 so this can be closed 👍