Implement a default centrally managed GCP service account for authentication to GCP API across GCP projects

[donistz]

How to categorize this issue?

/area security
/kind enhancement
/priority 2
/platform gcp

What would you like to be added:
Allow Gardener service providers to offer a default GCP service account for authentication to the GCP APIs for managing resources inside different GCP projects that belong to one and the same GCP organization
Why is this needed:
When Gardener service consumers want to start using Gardener to manage shoot clusters on GCP, they have to create in their GCP project a service account with a key and to grant permissions for compute administration and service accounts administration and usage to this GCP service account. Then they have to create a secret in their Gardener project where to configure the details about the GCP project, service account and the key. This service account key is then used by Gardener for authentication to the GCP API when managing GCP project resources as part of the Kubernetes cluster management activities. GCP service account keys are static secrets and their owner should make sure that they are rotated properly.

When Gardener is hosted for internal corporate purposes, it is possible to configure one central "Gardener" GCP service account in a separate GCP project (owned by Gardener ops team) of the GCP organization. The key for this service account will be managed (rotated) by the Gardener ops team as the owner of the GCP service account and consumers will have to just grant the necessary permissions to this central service account in their projects, so that the Gardener service will have permissions to manage resources in their project using this service account key for authentication. This proposal is similar to the one made for an Azure default Gardener SPN per Azure AD

More details about how to use GCP service accounts across GCP projects are available here: Centralize service accounts in separate projects.