Support external-account

Support AWS workload identity
Azure is not supported by this PR.
Workforce Pool is not supported by this PR.

How to use

Specify external-account feature

google-cloud-pubsub = { version="0.18.0", default-features=false, features=["trace", "auth", "external-account", "rustls-tls"]}

Set external account json file path as environment variable GOOGLE_APPLICATION_CREDENTIALS in AWS(ex EC2).

# download from GCP workload identity provider 'CONNECTED SERVICE ACCOUNTS'
export GOOGLE_APPLICATION_CREDENTIALS=./clientLibraryConfig-xxxx.json
cat $GOOGLE_APPLICATION_CREDENTIALS
{
       "type": "external_account",
       "audience": "//iam.googleapis.com/projects/myprojectnumber/locations/global/workloadIdentityPools/xxx/providers/xxx",
       "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
       "service_account_impersonation_url": "https://iamcredentials.googleapis.com/test",
       "token_url": "https://sts.googleapis.com/v1/token",
       "credential_source": {
              "environment_id": "aws1",
              "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
              "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
              "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
       }
}

yoshidan / google-cloud-rust

Support external-account #180

How to use