Is your feature request related to a problem? Please describe.

GCP supports service account impersonation, so that given credentials for a service account, it's possible to impersonate a different service account, given that the first is granted privileges to do so. The GcpStorageConfigurationInfo catalog configuration here actually has a gcpServiceAccount field that we never use when vending GCS storage credentials. We can use the code in https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#create-access to assume the target service account, then generate a short-lived token that has the target service account's privileges subscoped to the table location during the credential vending process.

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Additional context

No response