Fix Google connector ADC implementation within GKE environments

[ichbinfrog]

Overview

Adapt the google connector for using application default credentials in GKE.

What this PR does / why we need it

Closes #2676

Upon further testing in a GKE cluster, this line seems to return an empty JSON credential and therefore making ADC login fail. The default behavior for the google.FindDefaultCredentials function is the following:

On Google Compute Engine, Google App Engine standard second generation runtimes (>= Go 1.11), and Google App Engine flexible environment, it fetches credentials from the metadata server.

The credential.JSON is empty in GKE environments, thus the error. In order to fetch the credentials (token) from the metadata server, the only method I found which worked did not return a PERMISSION_DENIED is to use the flow defined in the impersonate package:

• The base Application Default Credentials is used (SA1)
• That service account (SA1) is then used to impersonate the service account designated by the targetPrincipal field (SA2)
• SA2's token source is then used to impersonate the Google Workspace super user designated by adminEmail

TBH, I'm not sure if this is the canonical way of doing it and I've raised a question here https://github.com/googleapis/google-api-go-client/issues/1698.

Special notes for your reviewer

Does this PR introduce a user-facing change?

[nabokihms]

@ichbinfrog Before starting the review process, I have a little question. Did it work previously on GKE and GCP without specifying a service account path (without groups)?

[ichbinfrog]

@nabokihms during my initial tests it worked on GKE. However, I realized when the issue was submitted that I had a residual json key in the container which was picked up by the google.FindDefaultCredentials function so authentication still used the JSON credentials instead of workload identity.