make service account project and name available for use in templated policies

[marklee77]

I have a use case where I would like for different service accounts within a gcp project to be able to authenticate to vault and gain access to secrets under a path like 'secret/project/serviceaccount_name'. In order for this to work without having to create a separate policy for every service account, this information needs to be included in the alias metadata so we can create policies of with of the form

path "secret/{{identity.entity.aliases.<<mount_accessor>>.metadata.service_account_project}}/{{identity.entity.aliases.<<mount_accessor>>.metadata.service_account_name}}/*" capabilities = ["read"]

We have a similar scheme in place for kubernetes-based authentication (using kubernetes namespace and service account name), however the gcp authentication plugin only seems to make the service account unique id available through the alias metadata. This feature request is simply to have the plugin return additional metadata, particularly the service account project and service account name, or failing that, the service account email address.

[nia-potato]

our team is depending on this use-case