Support GCP Workload Identity in the repository-gcs plugin

[david-chong-glean]

Is your feature request related to a problem? Please describe.
Storing snapshots with the repository-gcs plugin requires a gcp service account key that's stored as a kubernetes secret. We'd like to avoid this secret as it requires additional overhead like periodically rotating the secret for security. GCP's Workload Identity feature would be a better alternative that avoids the need for a secret.

Describe the solution you'd like
Use GCP's workload identity feature for authentication in the repository-gcs plugin.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[jazzlyn]

hi @davidchong-glean,
we use the repository-gcs plugin with workload identity. depends on your setup but maybe this helps with configuration, it works similar with opensearch: elastic/cloud-on-k8s#5230 (comment)

[peternied]

[Triage - attendees 1 2 3 4 5]
@davidchong-glean Thanks for filing this issue, we would welcome a pull request to add this functionality.

[FredericJames]

This capability alongside the projected volume one on the operator #459
would be really convenient to be compliant with managed k8s way of giving cloud resources permissions to workloads

[Bukhtawar]

We welcome a pull request. Maybe we just need to add standard GCP credential provider to the repository gcp
[Storage Triage - attendees 1 2 3 4 5 6 7 8 9 10