Initial commit for service account impersonation in different universe (#14064) (#23063)

[upstream:7303f23ddbd506ffdd2b98c3ec1a4223de6a44f8]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14064.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: supported service account impersonation in different universes through credential file
+```

google/provider/universe/universe_domain_storage_test.go

@@ -34,28 +34,29 @@ func TestAccUniverseDomainStorage(t *testing.T) {
 
 	universeDomain := envvar.GetTestUniverseDomainFromEnv(t)
 	bucketName := acctest.TestBucketName(t)
+	region := envvar.GetTestRegionFromEnv()
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		CheckDestroy:             testAccStorageBucketDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccUniverseDomain_bucket(universeDomain, bucketName),
+				Config: testAccUniverseDomain_bucket(universeDomain, bucketName, region),
 			},
 		},
 	})
 }
 
-func testAccUniverseDomain_bucket(universeDomain string, bucketName string) string {
+func testAccUniverseDomain_bucket(universeDomain string, bucketName string, region string) string {
 	return fmt.Sprintf(`
 provider "google" {
   universe_domain = "%s"
 }
 	  
 resource "google_storage_bucket" "foo" {
   name     = "%s"
-  location = "US"
+  location = "%s"
 }
   
 data "google_storage_bucket" "bar" {
@@ -64,7 +65,7 @@ data "google_storage_bucket" "bar" {
 	google_storage_bucket.foo,
   ]
 }
-`, universeDomain, bucketName)
+`, universeDomain, bucketName, region)
 }
 
 func testAccStorageBucketDestroyProducer(t *testing.T) func(s *terraform.State) error {

google/transport/config.go

@@ -30,6 +30,9 @@ import (
 	"strings"
 	"time"
 
+	"cloud.google.com/go/auth/credentials"
+	"cloud.google.com/go/auth/credentials/impersonate"
+	"cloud.google.com/go/auth/oauth2adapt"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 
@@ -2375,10 +2378,33 @@ func (c *Config) GetCredentials(clientScopes []string, initialCredentialsOnly bo
 		}
 
 		if c.ImpersonateServiceAccount != "" && !initialCredentialsOnly {
-			opts := []option.ClientOption{option.WithCredentialsJSON([]byte(contents)), option.ImpersonateCredentials(c.ImpersonateServiceAccount, c.ImpersonateServiceAccountDelegates...), option.WithScopes(clientScopes...)}
-			creds, err := transport.Creds(context.TODO(), opts...)
+			jsonCreds, err := credentials.DetectDefault(&credentials.DetectOptions{
+				Scopes:          clientScopes,
+				CredentialsJSON: []byte(contents),
+			})
 			if err != nil {
-				return googleoauth.Credentials{}, err
+				return googleoauth.Credentials{}, fmt.Errorf("error loading credentials: %s", err)
+			}
+
+			impersonateOpts := &impersonate.CredentialsOptions{
+				TargetPrincipal: c.ImpersonateServiceAccount,
+				Scopes:          clientScopes,
+				Delegates:       c.ImpersonateServiceAccountDelegates,
+				Credentials:     jsonCreds,
+			}
+
+			if c.UniverseDomain != "" && c.UniverseDomain != "googleapis.com" {
+				impersonateOpts.UniverseDomain = c.UniverseDomain
+			}
+
+			authCred, err := impersonate.NewCredentials(impersonateOpts)
+			if err != nil {
+				return googleoauth.Credentials{}, fmt.Errorf("error loading credentials: %s", err)
+			}
+
+			creds := oauth2adapt.Oauth2CredentialsFromAuthCredentials(authCred)
+			if err != nil {
+				return googleoauth.Credentials{}, fmt.Errorf("error loading credentials: %s", err)
 			}
 			return *creds, nil
 		}