credentials: add GcpServiceAccountIdentityCallCredentials call credentials type (gRFC A83).

[Pranjali-2501]

This PR implements GcpServiceAccountIdentityCallCredentials, a new call credentials type required by gRFC A83: xDS GCP Authentication Filter. This credential fetches and manages GCP Service Account Identity tokens for a given audience, allowing gRPC services running on GCP to authenticate RPCs.

Implementation Details & gRFC Deviations

The gRFC provides detailed specifications for how this credential should manually fetch tokens from the GCE metadata server, extract the exp field, and manually calculate refresh intervals (e.g., refreshing 30 seconds early).

However, we have decided to use google auth library to fetch the token.

In Go, the standard Google API authentication packages (golang.org/x/oauth2/google) only provide access tokens, which are fundamentally different from the identity tokens required here.

To properly fetch identity tokens, we have decided to use the officially supported Google Auth library for Go: cloud.google.com/go/auth/credentials/idtoken.

The library causes the following behavioral difference from gRFC.

• Hardcoded early expiry: The idtoken package has its own internal logic and hardcoded values for when to proactively refresh a token (currently, it expires tokens 5 minutes early, not 30 seconds early as suggested by the gRFC).
• Execution: We rely on idtoken.NewCredentials to handle the HTTP requests to the metadata server, extraction of the JWT, and cache invalidation.

Behavioral Guarantees Implemented:

• Handles fetching the token on-demand based on the provided audience.
• Ensures data-plane RPCs block concurrently while a single background network request fetches the token.
• Applies standard exponential backoff if the token fetch fails.
• Injects the authorization: Bearer header into outbound metadata.

RELEASE NOTES: N/A

[codecov]

Codecov Report

❌ Patch coverage is 64.00000% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.95%. Comparing base (f967422) to head (d36cb5a).

Files with missing lines	Patch %	Lines
...google/gcp_service_account_identity_credentials.go	64.00%	24 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8974      +/-   ##
==========================================
- Coverage   83.13%   82.95%   -0.18%     
==========================================
  Files         411      412       +1     
  Lines       32704    32779      +75     
==========================================
+ Hits        27187    27191       +4     
- Misses       4140     4193      +53     
- Partials     1377     1395      +18     

Files with missing lines	Coverage Δ
...google/gcp_service_account_identity_credentials.go	64.00% <64.00%> (ø)

... and 25 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.