Update Agent Auth with GCP to use new SignJWT endpoint (#11473)

* Update Agent Auth with GCP to use new SignJWT endpoint

* use iamcredentials name instead of renaming the package on import

* add changelog

* Update changelog/11473.txt

Co-authored-by: Theron Voran <[email protected]>

Co-authored-by: Theron Voran <[email protected]>

Author: catsby

changelog/11473.txt

@@ -0,0 +1,4 @@
+```release-note:change
+agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
+when using GCP Auto-Auth method
+```

command/agent/auth/gcp/gcp.go

@@ -17,7 +17,7 @@ import (
 	"github.com/hashicorp/vault/command/agent/auth"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
 	"golang.org/x/oauth2"
-	iam "google.golang.org/api/iam/v1"
+	"google.golang.org/api/iamcredentials/v1"
 )
 
 const (
@@ -161,7 +161,7 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 	default:
 		ctx := context.WithValue(context.Background(), oauth2.HTTPClient, cleanhttp.DefaultClient())
 
-		credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iam.CloudPlatformScope)
+		credentials, tokenSource, err := gcputil.FindCredentials(g.credentials, ctx, iamcredentials.CloudPlatformScope)
 		if err != nil {
 			retErr = errwrap.Wrapf("could not obtain credentials: {{err}}", err)
 			return
@@ -180,13 +180,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		project := "-"
-		if g.project != "" {
-			project = g.project
-		} else if credentials != nil {
-			project = credentials.ProjectId
-		}
-
 		ttlMin := int64(defaultIamMaxJwtExpMinutes)
 		if g.jwtExp != 0 {
 			ttlMin = g.jwtExp
@@ -204,17 +197,17 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		jwtReq := &iam.SignJwtRequest{
+		jwtReq := &iamcredentials.SignJwtRequest{
 			Payload: string(payloadBytes),
 		}
 
-		iamClient, err := iam.New(httpClient)
+		iamClient, err := iamcredentials.New(httpClient)
 		if err != nil {
 			retErr = errwrap.Wrapf("could not create IAM client: {{err}}", err)
 			return
 		}
 
-		resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
+		resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount)
 		resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do()
 		if err != nil {
 			retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)