Backport of Update gcp-common/IAM Credentials API usage into release/vault-1.5.x

[hc-github-team-secure-vault-ecosystem]

Backport

This PR is auto-generated from #108 to be assessed for backporting due to the inclusion of the label backport/vault-1.5.x.

The below text is copied from the body of the original PR.

---

Overview

Updates how we sign JWTs, to use supported methods and move away from deprecated methods. The SignJWT method in the IAM library we're using is deprecated. The migration guide says to move the the IAM Service Account Credentials API for that method instead. The other methods we use in the IAM library appear to be continued to be supported.

Updates to:

• github.com/hashicorp/go-gcp-common@v0.7.0
• google.golang.org/api/iamcredentials/v1@v0.45.0 ended up leaving this at v0.3.0 to avoid another dependency issue

Related Issues/Pull Requests

• GCP SignJwt deprecation #100
• GCP July 2021 deadline for projects.serviceAccounts/signJwt deprecation #106
• Add new ServiceAccountCredentialsTemplate, mark ServiceAccountTemplate as deprecated go-gcp-common#4 - should merge and cut new go-gcp-common before merging this PR

Contributor Checklist

[x] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)

Tests:

[vault-plugin-auth-gcp][jwt-lib-update](4)$ make test-acc TEST=./... TESTARGS="-v -count=1"
?       github.com/hashicorp/vault-plugin-auth-gcp      [no test files]
=== RUN   TestAuthorizeGCE
=== PAUSE TestAuthorizeGCE
=== RUN   TestGetIAMAlias
=== RUN   TestGetIAMAlias/invalid_type
=== RUN   TestGetIAMAlias/empty_type_goes_to_default
=== RUN   TestGetIAMAlias/default_type
=== RUN   TestGetIAMAlias/unique_id
--- PASS: TestGetIAMAlias (0.00s)
    --- PASS: TestGetIAMAlias/invalid_type (0.00s)
    --- PASS: TestGetIAMAlias/empty_type_goes_to_default (0.00s)
    --- PASS: TestGetIAMAlias/default_type (0.00s)
    --- PASS: TestGetIAMAlias/unique_id (0.00s)
=== RUN   TestGetGCEAlias
=== RUN   TestGetGCEAlias/invalid_type
=== RUN   TestGetGCEAlias/empty_type_goes_to_default
=== RUN   TestGetGCEAlias/default_type
=== RUN   TestGetGCEAlias/instance_id
--- PASS: TestGetGCEAlias (0.00s)
    --- PASS: TestGetGCEAlias/invalid_type (0.00s)
    --- PASS: TestGetGCEAlias/empty_type_goes_to_default (0.00s)
    --- PASS: TestGetGCEAlias/default_type (0.00s)
    --- PASS: TestGetGCEAlias/instance_id (0.00s)
=== RUN   TestZoneToRegion
=== PAUSE TestZoneToRegion
=== RUN   TestZoneFromSelfLink
=== PAUSE TestZoneFromSelfLink
=== RUN   TestBackend_PathConfigRead
=== PAUSE TestBackend_PathConfigRead
=== RUN   TestBackend_PathConfigWrite
=== PAUSE TestBackend_PathConfigWrite
=== RUN   TestConfig_Update
=== PAUSE TestConfig_Update
=== RUN   TestLogin_IAM
=== PAUSE TestLogin_IAM
=== RUN   TestRoleUpdateIam
=== PAUSE TestRoleUpdateIam
=== RUN   TestRoleIam_Wildcard
=== PAUSE TestRoleIam_Wildcard
=== RUN   TestRoleIam_EditServiceAccounts
=== PAUSE TestRoleIam_EditServiceAccounts
=== RUN   TestRoleIam_MissingRequiredArgs
=== PAUSE TestRoleIam_MissingRequiredArgs
=== RUN   TestRoleIam_HasGceArgs
=== PAUSE TestRoleIam_HasGceArgs
=== RUN   TestRoleGce
=== PAUSE TestRoleGce
=== RUN   TestRoleGce_EditLabels
=== PAUSE TestRoleGce_EditLabels
=== RUN   TestRoleGce_DeprecatedFields
=== PAUSE TestRoleGce_DeprecatedFields
=== RUN   TestRole_MissingRequiredArgs
=== PAUSE TestRole_MissingRequiredArgs
=== RUN   TestRole_InvalidRoleType
--- PASS: TestRole_InvalidRoleType (0.00s)
=== RUN   TestRetrieveRole
=== RUN   TestRetrieveRole/TokenPeriod_upgrade
=== RUN   TestRetrieveRole/TokenPolicies_upgrade
=== RUN   TestRetrieveRole/not_found
=== RUN   TestRetrieveRole/bad_data
=== RUN   TestRetrieveRole/boundRegion_upgrade
=== RUN   TestRetrieveRole/TTL_upgrade
=== RUN   TestRetrieveRole/MaxTTL_upgrade
=== RUN   TestRetrieveRole/storage_error
=== RUN   TestRetrieveRole/projectID_upgrade
=== RUN   TestRetrieveRole/boundZone_upgrade
=== RUN   TestRetrieveRole/boundInstanceGroup_upgrade
=== RUN   TestRetrieveRole/storage_put_error
=== RUN   TestRetrieveRole/roleID_is_generated_when_one_does_not_exist
--- PASS: TestRetrieveRole (0.00s)
    --- PASS: TestRetrieveRole/TokenPeriod_upgrade (0.00s)
    --- PASS: TestRetrieveRole/TokenPolicies_upgrade (0.00s)
    --- PASS: TestRetrieveRole/not_found (0.00s)
    --- PASS: TestRetrieveRole/bad_data (0.00s)
    --- PASS: TestRetrieveRole/boundRegion_upgrade (0.00s)
    --- PASS: TestRetrieveRole/TTL_upgrade (0.00s)
    --- PASS: TestRetrieveRole/MaxTTL_upgrade (0.00s)
    --- PASS: TestRetrieveRole/storage_error (0.00s)
    --- PASS: TestRetrieveRole/projectID_upgrade (0.00s)
    --- PASS: TestRetrieveRole/boundZone_upgrade (0.00s)
    --- PASS: TestRetrieveRole/boundInstanceGroup_upgrade (0.00s)
    --- PASS: TestRetrieveRole/storage_put_error (0.00s)
    --- PASS: TestRetrieveRole/roleID_is_generated_when_one_does_not_exist (0.00s)
=== CONT  TestAuthorizeGCE
=== RUN   TestAuthorizeGCE/labels_no_match_key
=== PAUSE TestAuthorizeGCE/labels_no_match_key
=== CONT  TestRoleGce
=== CONT  TestRoleIam_HasGceArgs
=== CONT  TestRoleIam_MissingRequiredArgs
=== RUN   TestAuthorizeGCE/labels_no_match_value
=== PAUSE TestAuthorizeGCE/labels_no_match_value
=== RUN   TestAuthorizeGCE/zone_as_self_link_exists
=== PAUSE TestAuthorizeGCE/zone_as_self_link_exists
=== CONT  TestRole_MissingRequiredArgs
--- PASS: TestRoleIam_HasGceArgs (0.00s)
=== CONT  TestRoleGce_DeprecatedFields
=== RUN   TestRoleGce_DeprecatedFields/deprecated_fields_upgraded
=== PAUSE TestRoleGce_DeprecatedFields/deprecated_fields_upgraded
=== RUN   TestRoleGce_DeprecatedFields/existing_storage_upgraded
=== PAUSE TestRoleGce_DeprecatedFields/existing_storage_upgraded
=== CONT  TestRoleGce_DeprecatedFields/deprecated_fields_upgraded
=== CONT  TestRoleGce_EditLabels
--- PASS: TestRoleIam_MissingRequiredArgs (0.00s)
=== CONT  TestRoleGce_DeprecatedFields/existing_storage_upgraded
=== CONT  TestRoleIam_Wildcard
=== CONT  TestRoleUpdateIam
=== CONT  TestLogin_IAM
=== CONT  TestConfig_Update
=== CONT  TestBackend_PathConfigWrite
=== RUN   TestConfig_Update/empty
=== PAUSE TestConfig_Update/empty
=== RUN   TestBackend_PathConfigWrite/field_validation
=== RUN   TestConfig_Update/keeps_existing
=== PAUSE TestBackend_PathConfigWrite/field_validation
=== PAUSE TestConfig_Update/keeps_existing
=== RUN   TestBackend_PathConfigWrite/not_exist
=== RUN   TestConfig_Update/overwrites_changes
=== PAUSE TestBackend_PathConfigWrite/not_exist
=== RUN   TestBackend_PathConfigWrite/exist
=== PAUSE TestConfig_Update/overwrites_changes
=== PAUSE TestBackend_PathConfigWrite/exist
=== CONT  TestBackend_PathConfigWrite/field_validation
=== RUN   TestConfig_Update/overwrites_and_new
=== CONT  TestBackend_PathConfigWrite/exist
=== PAUSE TestConfig_Update/overwrites_and_new
=== CONT  TestConfig_Update/empty
=== CONT  TestRoleIam_EditServiceAccounts
=== CONT  TestConfig_Update/overwrites_and_new
=== CONT  TestConfig_Update/overwrites_changes
=== CONT  TestConfig_Update/keeps_existing
=== CONT  TestBackend_PathConfigWrite/not_exist
=== RUN   TestAuthorizeGCE/zone_as_name_exists
=== PAUSE TestAuthorizeGCE/zone_as_name_exists
--- PASS: TestRoleGce_DeprecatedFields (0.00s)
    --- PASS: TestRoleGce_DeprecatedFields/deprecated_fields_upgraded (0.00s)
    --- PASS: TestRoleGce_DeprecatedFields/existing_storage_upgraded (0.00s)
=== RUN   TestAuthorizeGCE/zone_as_self_link_no_exists
=== CONT  TestBackend_PathConfigRead
=== RUN   TestBackend_PathConfigRead/field_validation
=== PAUSE TestBackend_PathConfigRead/field_validation
=== RUN   TestBackend_PathConfigRead/not_exist
=== PAUSE TestBackend_PathConfigRead/not_exist
=== RUN   TestBackend_PathConfigRead/exist
=== PAUSE TestBackend_PathConfigRead/exist
=== CONT  TestBackend_PathConfigRead/field_validation
=== CONT  TestBackend_PathConfigRead/exist
=== CONT  TestBackend_PathConfigRead/not_exist
--- PASS: TestRole_MissingRequiredArgs (0.00s)
--- PASS: TestRoleGce (0.00s)
--- PASS: TestRoleGce_EditLabels (0.00s)
--- PASS: TestRoleIam_Wildcard (0.00s)
=== CONT  TestZoneToRegion
--- PASS: TestConfig_Update (0.00s)
    --- PASS: TestConfig_Update/empty (0.00s)
    --- PASS: TestConfig_Update/overwrites_and_new (0.00s)
    --- PASS: TestConfig_Update/overwrites_changes (0.00s)
    --- PASS: TestConfig_Update/keeps_existing (0.00s)
=== RUN   TestZoneToRegion/0_us-central1-a_to_us-central1
=== PAUSE TestZoneToRegion/0_us-central1-a_to_us-central1
--- PASS: TestRoleUpdateIam (0.00s)
=== RUN   TestZoneToRegion/1_northamerica-northeast1-c_to_northamerica-northeast1
=== CONT  TestZoneFromSelfLink
=== PAUSE TestZoneToRegion/1_northamerica-northeast1-c_to_northamerica-northeast1
--- PASS: TestBackend_PathConfigWrite (0.00s)
    --- PASS: TestBackend_PathConfigWrite/field_validation (0.00s)
    --- PASS: TestBackend_PathConfigWrite/exist (0.00s)
    --- PASS: TestBackend_PathConfigWrite/not_exist (0.00s)
=== RUN   TestZoneToRegion/2_europe-west3-c_to_europe-west3
=== PAUSE TestZoneToRegion/2_europe-west3-c_to_europe-west3
=== RUN   TestZoneFromSelfLink/0
=== RUN   TestZoneToRegion/3_us_err
=== PAUSE TestZoneToRegion/3_us_err
=== PAUSE TestZoneFromSelfLink/0
=== RUN   TestZoneToRegion/4__err
=== PAUSE TestZoneToRegion/4__err
=== CONT  TestZoneToRegion/0_us-central1-a_to_us-central1
=== CONT  TestZoneToRegion/3_us_err
=== RUN   TestZoneFromSelfLink/1
=== PAUSE TestZoneFromSelfLink/1
=== RUN   TestZoneFromSelfLink/2
=== CONT  TestZoneToRegion/2_europe-west3-c_to_europe-west3
=== PAUSE TestZoneFromSelfLink/2
=== PAUSE TestAuthorizeGCE/zone_as_self_link_no_exists
=== CONT  TestZoneFromSelfLink/0
=== RUN   TestAuthorizeGCE/zone_as_name_no_exists
=== CONT  TestZoneFromSelfLink/2
=== CONT  TestZoneFromSelfLink/1
=== CONT  TestZoneToRegion/1_northamerica-northeast1-c_to_northamerica-northeast1
=== CONT  TestZoneToRegion/4__err
--- PASS: TestZoneFromSelfLink (0.00s)
    --- PASS: TestZoneFromSelfLink/0 (0.00s)
    --- PASS: TestZoneFromSelfLink/2 (0.00s)
    --- PASS: TestZoneFromSelfLink/1 (0.00s)
=== PAUSE TestAuthorizeGCE/zone_as_name_no_exists
--- PASS: TestZoneToRegion (0.00s)
    --- PASS: TestZoneToRegion/0_us-central1-a_to_us-central1 (0.00s)
    --- PASS: TestZoneToRegion/3_us_err (0.00s)
    --- PASS: TestZoneToRegion/2_europe-west3-c_to_europe-west3 (0.00s)
    --- PASS: TestZoneToRegion/1_northamerica-northeast1-c_to_northamerica-northeast1 (0.00s)
    --- PASS: TestZoneToRegion/4__err (0.00s)
=== RUN   TestAuthorizeGCE/zone_as_invalid
=== PAUSE TestAuthorizeGCE/zone_as_invalid
=== RUN   TestAuthorizeGCE/region_as_self_link_exists
=== PAUSE TestAuthorizeGCE/region_as_self_link_exists
=== RUN   TestAuthorizeGCE/region_as_name_exists
=== PAUSE TestAuthorizeGCE/region_as_name_exists
=== RUN   TestAuthorizeGCE/region_as_self_link_no_exists
=== PAUSE TestAuthorizeGCE/region_as_self_link_no_exists
=== RUN   TestAuthorizeGCE/region_as_name_no_exists
=== PAUSE TestAuthorizeGCE/region_as_name_no_exists
--- PASS: TestRoleIam_EditServiceAccounts (0.00s)
=== RUN   TestAuthorizeGCE/region_as_invalid
=== PAUSE TestAuthorizeGCE/region_as_invalid
=== RUN   TestAuthorizeGCE/bound_instance_groups_unbound
=== PAUSE TestAuthorizeGCE/bound_instance_groups_unbound
--- PASS: TestBackend_PathConfigRead (0.00s)
    --- PASS: TestBackend_PathConfigRead/field_validation (0.00s)
    --- PASS: TestBackend_PathConfigRead/exist (0.00s)
    --- PASS: TestBackend_PathConfigRead/not_exist (0.00s)
=== RUN   TestAuthorizeGCE/bound_instance_groups_empty_bound_zones
=== PAUSE TestAuthorizeGCE/bound_instance_groups_empty_bound_zones
=== RUN   TestAuthorizeGCE/bound_instance_groups_no_exist_bound_zones
=== PAUSE TestAuthorizeGCE/bound_instance_groups_no_exist_bound_zones
=== RUN   TestAuthorizeGCE/bound_instance_groups_empty_bound_regions
=== PAUSE TestAuthorizeGCE/bound_instance_groups_empty_bound_regions
=== RUN   TestAuthorizeGCE/bound_instance_groups_no_exist_bound_regions
=== PAUSE TestAuthorizeGCE/bound_instance_groups_no_exist_bound_regions
=== RUN   TestAuthorizeGCE/bound_instance_groups_no_contains_instance
=== PAUSE TestAuthorizeGCE/bound_instance_groups_no_contains_instance
=== RUN   TestAuthorizeGCE/bound_service_account_no_exist
=== PAUSE TestAuthorizeGCE/bound_service_account_no_exist
=== RUN   TestAuthorizeGCE/bound_service_account_id
=== PAUSE TestAuthorizeGCE/bound_service_account_id
=== RUN   TestAuthorizeGCE/bound_service_account_email
=== PAUSE TestAuthorizeGCE/bound_service_account_email
=== RUN   TestAuthorizeGCE/success_zone_binding
=== PAUSE TestAuthorizeGCE/success_zone_binding
=== RUN   TestAuthorizeGCE/success_region_binding
=== PAUSE TestAuthorizeGCE/success_region_binding
=== RUN   TestAuthorizeGCE/success_instance_group_zone_binding
=== PAUSE TestAuthorizeGCE/success_instance_group_zone_binding
=== RUN   TestAuthorizeGCE/success_instance_group_region_binding
=== PAUSE TestAuthorizeGCE/success_instance_group_region_binding
=== CONT  TestAuthorizeGCE/labels_no_match_key
=== CONT  TestAuthorizeGCE/bound_instance_groups_empty_bound_zones
=== CONT  TestAuthorizeGCE/zone_as_self_link_no_exists
=== CONT  TestAuthorizeGCE/zone_as_name_exists
=== CONT  TestAuthorizeGCE/region_as_self_link_no_exists
=== CONT  TestAuthorizeGCE/region_as_self_link_exists
=== CONT  TestAuthorizeGCE/region_as_name_exists
=== CONT  TestAuthorizeGCE/zone_as_self_link_exists
=== CONT  TestAuthorizeGCE/zone_as_name_no_exists
=== CONT  TestAuthorizeGCE/success_instance_group_region_binding
=== CONT  TestAuthorizeGCE/bound_instance_groups_unbound
=== CONT  TestAuthorizeGCE/region_as_invalid
=== CONT  TestAuthorizeGCE/region_as_name_no_exists
=== CONT  TestAuthorizeGCE/success_instance_group_zone_binding
=== CONT  TestAuthorizeGCE/success_region_binding
=== CONT  TestAuthorizeGCE/success_zone_binding
=== CONT  TestAuthorizeGCE/bound_service_account_email
=== CONT  TestAuthorizeGCE/bound_service_account_id
=== CONT  TestAuthorizeGCE/bound_service_account_no_exist
=== CONT  TestAuthorizeGCE/bound_instance_groups_no_contains_instance
=== CONT  TestAuthorizeGCE/bound_instance_groups_no_exist_bound_regions
=== CONT  TestAuthorizeGCE/bound_instance_groups_empty_bound_regions
=== CONT  TestAuthorizeGCE/bound_instance_groups_no_exist_bound_zones
=== CONT  TestAuthorizeGCE/zone_as_invalid
=== CONT  TestAuthorizeGCE/labels_no_match_value
--- PASS: TestAuthorizeGCE (0.01s)
    --- PASS: TestAuthorizeGCE/labels_no_match_key (0.00s)
    --- PASS: TestAuthorizeGCE/bound_instance_groups_empty_bound_zones (0.00s)
    --- PASS: TestAuthorizeGCE/zone_as_self_link_no_exists (0.00s)
    --- PASS: TestAuthorizeGCE/zone_as_name_exists (0.00s)
    --- PASS: TestAuthorizeGCE/region_as_self_link_exists (0.00s)
    --- PASS: TestAuthorizeGCE/region_as_self_link_no_exists (0.00s)
    --- PASS: TestAuthorizeGCE/region_as_name_exists (0.00s)
    --- PASS: TestAuthorizeGCE/zone_as_self_link_exists (0.00s)
    --- PASS: TestAuthorizeGCE/zone_as_name_no_exists (0.00s)
    --- PASS: TestAuthorizeGCE/success_instance_group_region_binding (0.00s)
    --- PASS: TestAuthorizeGCE/bound_instance_groups_unbound (0.00s)
    --- PASS: TestAuthorizeGCE/region_as_invalid (0.00s)
    --- PASS: TestAuthorizeGCE/region_as_name_no_exists (0.00s)
    --- PASS: TestAuthorizeGCE/success_instance_group_zone_binding (0.00s)
    --- PASS: TestAuthorizeGCE/success_region_binding (0.00s)
    --- PASS: TestAuthorizeGCE/success_zone_binding (0.00s)
    --- PASS: TestAuthorizeGCE/bound_service_account_email (0.00s)
    --- PASS: TestAuthorizeGCE/bound_service_account_id (0.00s)
    --- PASS: TestAuthorizeGCE/bound_service_account_no_exist (0.00s)
    --- PASS: TestAuthorizeGCE/bound_instance_groups_no_contains_instance (0.00s)
    --- PASS: TestAuthorizeGCE/bound_instance_groups_no_exist_bound_regions (0.00s)
    --- PASS: TestAuthorizeGCE/bound_instance_groups_empty_bound_regions (0.00s)
    --- PASS: TestAuthorizeGCE/bound_instance_groups_no_exist_bound_zones (0.00s)
    --- PASS: TestAuthorizeGCE/zone_as_invalid (0.00s)
    --- PASS: TestAuthorizeGCE/labels_no_match_value (0.00s)
=== RUN   TestLogin_IAM/not_bound
=== PAUSE TestLogin_IAM/not_bound
=== RUN   TestLogin_IAM/not_bound_project
=== PAUSE TestLogin_IAM/not_bound_project
=== RUN   TestLogin_IAM/no_policies
=== PAUSE TestLogin_IAM/no_policies
=== RUN   TestLogin_IAM/expire_late
=== PAUSE TestLogin_IAM/expire_late
=== RUN   TestLogin_IAM/group_aliases
=== PAUSE TestLogin_IAM/group_aliases
=== RUN   TestLogin_IAM/wildcard
=== PAUSE TestLogin_IAM/wildcard
=== RUN   TestLogin_IAM/ttl
=== PAUSE TestLogin_IAM/ttl
=== RUN   TestLogin_IAM/max_ttl
=== PAUSE TestLogin_IAM/max_ttl
=== RUN   TestLogin_IAM/period
=== PAUSE TestLogin_IAM/period
=== RUN   TestLogin_IAM/jwt_already_expired
=== PAUSE TestLogin_IAM/jwt_already_expired
=== CONT  TestLogin_IAM/not_bound
=== CONT  TestLogin_IAM/wildcard
=== CONT  TestLogin_IAM/expire_late
=== CONT  TestLogin_IAM/jwt_already_expired
=== CONT  TestLogin_IAM/group_aliases
=== CONT  TestLogin_IAM/no_policies
=== CONT  TestLogin_IAM/not_bound_project
=== CONT  TestLogin_IAM/max_ttl
=== CONT  TestLogin_IAM/period
=== CONT  TestLogin_IAM/ttl
--- PASS: TestLogin_IAM (0.55s)
    --- PASS: TestLogin_IAM/jwt_already_expired (0.32s)
    --- PASS: TestLogin_IAM/expire_late (0.51s)
    --- PASS: TestLogin_IAM/no_policies (0.70s)
    --- PASS: TestLogin_IAM/ttl (0.70s)
    --- PASS: TestLogin_IAM/period (0.70s)
    --- PASS: TestLogin_IAM/wildcard (0.70s)
    --- PASS: TestLogin_IAM/not_bound (0.70s)
    --- PASS: TestLogin_IAM/not_bound_project (0.70s)
    --- PASS: TestLogin_IAM/max_ttl (0.70s)
    --- PASS: TestLogin_IAM/group_aliases (0.91s)
PASS
ok      github.com/hashicorp/vault-plugin-auth-gcp/plugin       3.127s
?       github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache [no test files]

[x] Backwards compatible

According to the tests, this is backwards compatible. This PR only changes the parts were we call SignJWT, and doesn't remove or otherwise change the usage of iam/v1, as there are some parts pertaining to UniqueID which are not (?) found in the Service Account Credentials API. The methods in question do not appear to be deprecated.