Fix credentials for groups settings api (#5165)

#### Motivation
In order to call the groups settings API to allow adding external
members to groups, the service account credentials need to contain the
correct scope `'https://www.googleapis.com/auth/apps.groups.settings'`
to verify its admin role in the correspondent Google Workspace
(oss-fuzz.com in this case).

#### Rationale
Calling the get default creds with this scope does not work correctly.
My guess is that the GKE/GCE gets the Application Default Credentials
via its metadata server, which is configured by default to issue tokens
within a limited set of defined scopes (e.g., `cloud-platform`).

An alternative is self-impersonating the service account to generate new
Credentials with the right scopes. This avoids having to deal with
creating a secret containing a new key for the default service account
and then generating the credentials based on this key.

Note: For this to work, the SA must have the `Service Account Token
Creator` role. This is already set for the Compute Engine default
account in all prod environments.

#### Tests
Tested in dev by running the oss_fuzz_cc_groups cronjob with test
groups. logs: https://screenshot.googleplex.com/76a7vJjjKC4NhCe.png

Check complete investigation on: b/477964128

Author: ViniciustCosta

src/clusterfuzz/_internal/google_cloud_utils/credentials.py

@@ -16,12 +16,14 @@
 
 from google.auth import compute_engine
 from google.auth import credentials
+from google.auth import impersonated_credentials
 from google.auth.transport import requests
 from google.oauth2 import service_account
 
 from clusterfuzz._internal.base import memoize
 from clusterfuzz._internal.base import retry
 from clusterfuzz._internal.base import utils
+from clusterfuzz._internal.google_cloud_utils import compute_metadata
 from clusterfuzz._internal.google_cloud_utils import secret_manager
 from clusterfuzz._internal.metrics import logs
 from clusterfuzz._internal.system import environment
@@ -99,3 +101,31 @@ def get_signing_credentials(service_account_info):
         request, '', service_account_email=creds.service_account_email)
     token = creds.token
   return signing_creds, token
+
+
+def get_scoped_service_account_credentials(
+    scopes: list[str]) -> impersonated_credentials.Credentials | None:
+  """Gets scoped credentials by self-impersonating the service account."""
+  creds, _ = get_default()
+  service_account_email = getattr(creds, 'service_account_email', None)
+  if service_account_email == 'default':
+    # Resolve the default service account email using GCE metadata server.
+    service_account_email = compute_metadata.get(
+        'instance/service-accounts/default/email')
+
+  if not service_account_email:
+    logs.warning('Could not retrieve service account email when getting scoped'
+                 'credentials.')
+    return None
+
+  logs.info(
+      f'Using scoped credentials from service account: {service_account_email}')
+  scoped_creds = impersonated_credentials.Credentials(
+      source_credentials=creds,
+      target_principal=service_account_email,
+      target_scopes=scopes,
+  )
+  request = requests.Request()
+  scoped_creds.refresh(request)
+
+  return scoped_creds

src/clusterfuzz/_internal/google_cloud_utils/google_groups.py

@@ -43,7 +43,8 @@ def get_identity_api() -> discovery.Resource | None:
 def get_group_settings_api() -> discovery.Resource | None:
   """Return the groups settings api client."""
   if not hasattr(_local, 'groups_settings_service'):
-    creds, _ = credentials.get_default()
+    scopes = ['https://www.googleapis.com/auth/apps.groups.settings']
+    creds = credentials.get_scoped_service_account_credentials(scopes)
     _local.groups_settings_service = discovery.build(
         'groupssettings', 'v1', credentials=creds, cache_discovery=False)