feat: allow usage of "direct resource access" by omitting serviceAccount

    - |

      response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://gcp-auth-provider/token")

      assert_eq "500" $response_status "$(cat resp.txt)"

# test: get token without serviceaccount (direct resource access) account and provider shall succeed

test-token-without-serviceaccount-succeeds:

  extends: .test-base

  variables:

    CI_JOB_JWT_V2: $CI_JOB_JWT_V2

    FF_NETWORK_PER_BUILD: 1

    GCP_PROJECT: $GCP_PROJECT_WO_SA

    GCP_PROJECT_NUMBER: $GCP_PROJECT_NUMBER_WO_SA

  id_tokens:

    CI_JOB_JWT_V2:

      aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/gitlab/providers/gitlab

  services:

    - name: "$DOCKER_SNAPSHOT_IMAGE"

      alias: "gcp-auth-provider"

      variables:

        GCP_OIDC_PROVIDER: projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/gitlab/providers/gitlab

        GCP_OIDC_ACCOUNT: ""

  script:

    - |

      response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://gcp-auth-provider/token")

      assert_eq "200" $response_status "$(cat resp.txt)"

      token=$(cat resp.txt)

      response_status=$(curl -s -o resp.txt -w "%{http_code}" -H "Authorization: Bearer $token" "https://cloudresourcemanager.googleapis.com/v1/projects/$GCP_PROJECT")

      assert_eq "200" $response_status

      project_id_result=$(cat resp.txt | jq -r .projectId)

      assert_eq "$GCP_PROJECT" $project_id_result

  rules:

    - if: '"$GCP_PROJECT" && "$GCP_PROJECT_NUMBER"'

    GET /token

    ```

### Direct resource access 

You can use direct resource access by skipping service account impersonation. Just omit `serviceAccount`. This way you do not need to create an intermediate service account. 

See https://docs.cloud.google.com/iam/docs/workload-identity-federation#direct-resource-access

#### Query Parameters

        var_prefix = get_var_prefix(env_type)

        if not workload_identity_provider:

            workload_identity_provider = get_oidc_provider(var_prefix)

        if not service_account:

            service_account = get_oidc_account(var_prefix)

        if (not workload_identity_provider) or (not service_account):

        if not workload_identity_provider:

            raise HTTPException(

                status_code=400,

                detail=f"Token couldn't retrieve implicit OIDC provider/account for env='{env_type}', workloadIdentityProvider={workload_identity_provider}, service=Account{service_account}",

                detail=f"Token couldn't retrieve implicit OIDC provider for env='{env_type}', workloadIdentityProvider={workload_identity_provider}",

            )

    audience = f"//iam.googleapis.com/{workload_identity_provider}"

    federated_token = get_sts_token(audience)

    if not service_account:

        return PlainTextResponse(federated_token)

    gcloud_auth_token = get_iam_credentials(service_account, federated_token)

    return PlainTextResponse(gcloud_auth_token)