GCP Workload Identity Federation - invalid token request when using a Service Account

[sjenkins7]

Describe the bug
When using Workload Identity Federation in GCP, all attempts to setup a SecretStore with a serviceAccountRef all result with a status of InvalidProviderConfig with the following error message in the logs:

{"level":"error","ts":1759177167.2794123,"msg":"Reconciler error","controller":"secretstore","controllerGroup":"external-secrets.io","controllerKind":"SecretStore","SecretStore":{"name":"testing-gcp","namespace":"testing"},"namespace":"testing","name":"testing-gcp","reconcileID":"e5dcb1ec-2a66-4ef1-a799-9af9ad478da3","error":"could not get provider client: unable to get credentials: invalid subject token request, audience is //iam.googleapis.com/projects/[REDACTED]/locations/global/workloadIdentityPools/core-external-pool/providers/core-cluster-provider(expected ) and subject_token_type is urn:ietf:params:oauth:token-type:jwt(expected urn:ietf:params:oauth:token-type:jwt)","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:474\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:296"}

To Reproduce
Steps to reproduce the behavior:

Examples used:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: testing-gcp
  namespace: testing
spec:
  provider:
    gcpsm:
      projectID: [REDACTED]
      auth:
        workloadIdentityFederation:
          audience: //iam.googleapis.com/projects/[REDACTED]/locations/global/workloadIdentityPools/core-external-pool/providers/core-cluster-provider
          serviceAccountRef:
            audiences:
            - //iam.googleapis.com/projects/[REDACTED]/locations/global/workloadIdentityPools/core-external-pool/providers/core-cluster-provider
            name: testing-gcp
            namespace: testing
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: testing-gcp
  namespace: testing

Kubernetes: v1.33.4
ESO: v0.20.1

Expected behavior
Expected SecretStore to be Valid

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Looking at the codebase, it looks like the Token Supplier is created before all of the defaults are applied. As it is impossible to also supply a credsConfig without failing validation, the audience is always blank.

Flipping these around locally gets it to work - happy to offer up a PR, but am entirely unfamiliar with the tests.

[gusfcarvalho]

hi @sjenkins7 . The checks you are seeing there are validation checks to prevent misconfiguration abuse. You must provide a valid credsConfig to use workloadIdentityFederation.

[gusfcarvalho]

any other help can be given by @bharath-b-rh .

[sjenkins7]

hi @sjenkins7 . The checks you are seeing there are validation checks to prevent misconfiguration abuse. You must provide a valid credsConfig to use workloadIdentityFederation.

Unfortunately if you supply both a serviceAccountRef and a credsConfig - it fails validation.

I am deliberately avoiding trying to tie all of these permissions to 1 singular account, hence the attempt to create serviceAccountRef on it's own. Based on what I understand of the tests, the example I provided should be valid - it's just that the token supplier doesn't get the defaults. This means that when the validation is done, the audience doesn't match ( as the token supplier never got it )

EDIT: clarification

[bharath-b-rh]

Sorry about that! I've fixed the issue in #5392.

[Sollimann]

Posting here for visibility as the issues seem related: #5790