[BEAM-14014] Add parameter for service account impersonation in GCP credentials

[kennknowles]

Adding this parameter, which is standardizing across GCP. It is a chain of accounts where the user invoking the API call has delegation permissions and each account has permissions to the next, until we reach the target principal.

---

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

• Choose reviewer(s) and mention them in a comment (R: @username).
• Format the pull request title like [BEAM-XXX] Fixes bug in ApproximateQuantiles, where you replace BEAM-XXX with the appropriate JIRA issue, if applicable. This will automatically link the pull request to the issue.
• Update CHANGES.md with noteworthy changes.
• If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

See CI.md for more information about GitHub Actions CI.

[kennknowles]

R: @ryanthompson591

I'm figuring I can piggyback an integration test for this on whatever you come up with for you PR #17244.

[aaltay]

What is the next step on this PR?

[kennknowles]

Added a test, but unfortunately Jenkins testing runs as the same service account as the Dataflow workers (both are the default GCE service account) so I cannot remove permissions from the account and ensure the test is meaningful. I have run the test as myself locally to confirm, but more work is needed to make sure CI can truly keep this feature healthy.

[kennknowles]

Noting that everything is green, aka I didn't break anything. And if you believe my comments and code, this works. So now I am going to continue with changes within the Google Cloud Console and a new commit that might break things again.

[kennknowles]

PTAL. Tests are green. Most of the work was in the GCP setup. Now the pipeline option is not shipped to workers, so that solves that problem for this PR.

[kennknowles]

run java postcommit

[aaltay]

LGTM. I think one gap to address in the future is testing is that the delegation chain longer than 1 (more than just target principal) is not tested.

[kennknowles]

Agree. I will do some set up of the apache-beam-testing project to get this tested.

[lukecwik]

It seems odd to take a string that we parse instead of List/String[] since PipelineOptionsFactory can do this already for us. See

beam/sdks/java/core/src/test/java/org/apache/beam/sdk/options/PipelineOptionsFactoryTest.java

Line 1423 in 937e22f

String[] args = new String[] {"--string=stringValue1,stringValue2,stringValue3"};

[kennknowles]

Ah, I did not realize this. That could be a useful follow-up. We do want the format of the parameter to be the same across SDKs and across Beam and gcloud, etc. But it seems that comma-separated strings will be the same across all of them.