Feature Request: Support GCP Workload Identity Federation for Auth #1166
Description
Is your feature request related to a problem? Please describe.
Missing a feature: Workload Identity Federation (WIF)
GCP workload identity is functionnal but not Workload Identity Federation (WIF), which consists in giving IAM roles directly to a K8s service account, instead of impersonating a GCP service account.
Currently, We can't use WIF because when configuring the VaultAuth, an annotation is required on the K8s service account.
With Workload Identity Federation (WIF), the IAM permissions are given directly to the K8s service account, and no annotation is required.
ref: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
Describe the solution you'd like
We would like to be able to use WIF, and give iam permissions directly to the K8s service account.
Describe alternatives you've considered
Currently, we're just using workload identity, the way it's supported.
Implementing this would be a major step forward for the operator's security posture on GCP.