Workload identity accessing GoogleAPIs without having a static service account token. GKE metadata server available in each pod is used to fetch tokens.

Workload identity tokens work as a replacement for GSA token, they are not accepted by GSuite Admin API, because Admin API requires impersonalization for GSuite admin. Impersonalization IS possible with workload identity token, hence this proposal.

Example use of GSuite admin impersonalization can be found here: https://github.com/salrashid123/oauth2#impersonated-credentials-with-domain-wide-delegation

So proposal is following:

• if google connector config specifies adminEmail, but does not specifies serviceAccountFilePath Google connector attempts to use workload identity token to impersonate GSuite Admin and create Admin API client instance