Implement support for GCP short-lived credentials using the Service Account Credentials API to enhance security by eliminating reliance on static service account keys.

Current State

GCP provider only supports static, long-lived authentication:

• Service account keys (JSON files)
• Application Default Credentials (often long-lived)

Proposed Feature

Generate temporary access tokens (1-12 hours) using various source credentials:

Configuration Examples

Developer workflow (no keys needed):

gcp:
  use_short_lived_credentials: true
  service_account_email: "[email protected]"
  # Uses: gcloud auth login → ADC → short-lived token

CI/CD with minimal permissions:

gcp:
  use_short_lived_credentials: true
  service_account_email: "[email protected]" 
  source_credentials: "minimal-ci-sa.json"  # Only has impersonation permission

GKE/Compute Engine (zero secrets):

gcp:
  use_short_lived_credentials: true
  service_account_email: "[email protected]"
  # Uses workload identity automatically

Migration from existing keys:

gcp:
  use_short_lived_credentials: true
  service_account_email: "[email protected]"
  gcp_service_account_key: "existing-key.json"  # Generates short-lived from static key
  token_lifetime: "3600s"

Benefits

• Security: Tokens auto-expire, reducing blast radius of compromises
• Zero credential distribution: Developers use gcloud auth login instead of sharing key files
• CI/CD security: Minimal permission keys for impersonation vs full-access static keys
• Compliance: Aligns with zero-trust and credential rotation best practices
• Audit trail: Each execution generates fresh tokens with proper logging

CLI Implementation Notes

• Generate fresh token per cloudlist execution
• In-memory token refresh only if discovery operation exceeds token lifetime
• No persistent token storage (CLI exits when done)
• Backward compatibility with all existing auth methods
• Graceful fallback if Service Account Credentials API unavailable

Required IAM Permission

Source credentials need roles/iam.serviceAccountTokenCreator or iam.serviceAccounts.generateAccessToken on target service account.

Success Criteria

• Support all source credential types (ADC, user creds, SA keys, workload identity)
• Configurable token lifetime (1-12 hours)
• Service account impersonation support
• Automatic token refresh during long operations
• Full backward compatibility
• Clear error messages for permission issues
• Documentation with migration examples