Update internal GCP Auth to use new SignJWT endpoint

.changelog/1389.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+plugin/vault: Use Service Account Credentials API for GCP SignJWT endpoint
+```

builtin/vault/internal/auth/gcp/gcp.go

@@ -16,7 +16,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
 	"golang.org/x/oauth2"
-	iam "google.golang.org/api/iam/v1"
+	iam "google.golang.org/api/iamcredentials/v1"
 
 	"github.com/hashicorp/waypoint/builtin/vault/internal/auth"
 )
@@ -181,13 +181,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		project := "-"
-		if g.project != "" {
-			project = g.project
-		} else if credentials != nil {
-			project = credentials.ProjectId
-		}
-
 		ttlMin := int64(defaultIamMaxJwtExpMinutes)
 		if g.jwtExp != 0 {
 			ttlMin = g.jwtExp
@@ -215,7 +208,9 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
+		// JWTs are signed via the IAM Service Account Credentials API.
+		// See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+		resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount)
 		resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do()
 		if err != nil {
 			retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)