Google: Add functionality to impersonate GSuite Admin identity without JSON

[NaurisSadovskis]

Overview

Hi folks, adding an option to impersonate GSuite Admin identity without service account key JSON. This functionality has been recently added as part of google-api-go-client v0.46.0

What this PR does / why we need it

This feature is primarily aimed at folks running within Google Cloud Platform (GCE/GKE):

• Removes the need for (long-lived) user-managed service account keys when configuring Dex

Addresses: #1756

Special notes for your reviewer

I have not tested this with an actual GSuite tenant, as I don't have one, but can test it sometime next week.

Does this PR introduce a user-facing change?

Add the ability to impersonate GSuite Admin identity without service account JSON when running on Google Cloud Platform

[frezbo]

Anything pending to get this moving forward? happy to contribute

[jetersen]

I would be happy to test this. @sagikazarmark is it simply docker build -t img .? or is the build process more complex?

Maybe it would be good to share gcloud commands required to setup the service account with impersonation permissions? 😅

[jetersen]

Got to

Failed to authenticate: google: could not retrieve groups: could not list groups: Get "https://admin.googleapis.com/admin/directory/v1/groups?alt=json&pageToken=&prettyPrint=false&userKey=user%40company.com": impersonate: status code 404: { "error": { "code": 404, "message": "Requested entity was not found.", "status": "NOT_FOUND" } }

Not sure how I can validate that the service account is working.

Any hints @NaurisSadovskis

[jinnjwu]

What is latest status, we need this feature too, we hosting argocd in GKE, there is a service account in work nodes, do not want to paste a service acccount key, because our service account key needs to be rotated.