Support WIF Impersonation on GCP workloads

[sfc-gh-eqin]

Please answer these questions before submitting your pull requests. Thanks!

1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

   SNOW-2183347

2. Fill out the following pre-review checklist:

   • I am adding a new automated test(s) to verify correctness of my new code
   • I am adding new logging messages
   • I am adding a new telemetry message
   • I am modifying authorization mechanisms
   • I am adding new credentials
   • I am modifying OCSP code
   • I am adding a new dependency

3. Please describe how your code solves the related issue.

   Please write a short description of how your code change solves the related issue.

The issue is that some use cases have a CSP account that maps to multiple other CSP accounts, each of which may map to a Snowflake user.

The code does the following on GCP workloads:

• Allows users to specify a workload_identity_impersonation_path of impersonated accounts
• Uses the impersonations and the IAM credentials API to get the identity token for the last service account in the impersonation path
• Uses the same verification procedure with the Snowflake backend to get a session token with the user corresponding to the last service account in the impersonation path

4. (Optional) PR for stored-proc connector:

Manual Testing

Verified that this works on GCP (see private doc)

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[sfc-gh-eqin]

• Support WIF Impersonation on GCP workloads #2496 👈 (View in Graphite)
• Update WIF integration tests to verify authenticated username + prepare for impersonation #2510
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[sfc-gh-pmansour]

I think this is broadly the right direction! Let's clean up the code, validate it on a real GCP environment, add tests, then expand to other CSPs

[sfc-gh-eqin]

I have read the CLA Document and I hereby sign the CLA

[sfc-gh-pmansour]

Looks great! Just rebase + fix a few minor comments, and I think you're ready to merge today :)

[sfc-gh-pmansour]

@sfc-gh-eqin you may need to update the release notes to add a new section for vNext, and add a bullet point saying impersonation for workload identity federation is now supported.