FR: add support for google JWTAccessTokens

[salrashid123]

feature request to add support for providing google JWTAccessToken through vault.

These tokens can be derived from service accounts that are a special token type used to authenticate against some certain google services. For more info, see AccessTokenCredentials

I put together a prototype of secret_type=jwt_access_token by directly copying the access_token implementation code, then adding an additional flag for audience:

https://github.com/salrashid123/vault-plugin-secrets-gcp/blob/master/README_oidc_jwt.md#run-jwt-access

secrets_jwt_access_token.go

vault write gcp/roleset/my-jwttoken-roleset    \
  project="clamav-241815"    \
  secret_type="jwt_access_token" \ 
  audience="https://pubsub.googleapis.com/google.pubsub.v1.Publisher" \
  [email protected]

• use jwtaccess.hcl to define its capabilities

resource "projects/clamav-241815" {
    roles = ["roles/pubsub.admin"]  
}

• then read the jwtaccess secret back

vault read gcp/jwtaccess/my-jwttoken-roleset
Key                   Value
---                   -----
expires_at_seconds    1566158485
jwt_access_token      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCI

which includes claims:

{
  "iss": "vaultmy-jwttoken-ro-1566154879@clamav-241815.iam.gserviceaccount.com",
  "aud": "https://pubsub.googleapis.com/google.pubsub.v1.Publisher",
  "exp": 1566158485,
  "iat": 1566154885,
  "sub": "vaultmy-jwttoken-ro-1566154879@clamav-241815.iam.gserviceaccount.com"
}

a user can then apply the token to a request:

 curl -v -H "Authorization: Bearer ..." https://pubsub.googleapis.com/v1/projects/clamav-241815/topics
 {
   "topics": [
     {
       "name": "projects/clamav-241815/topics/testtopic"
     }
   ]
 }

---

Note: unlike #46, the bindings here makes sense since IAM policies need to be in place the last step. Essentially, this FR is equivalent to access_token flow that there now but is optimized for certain GCP services.