GCP CLI support: tsh and tctl changes

[Tener]

tsh and tctl changes for #17257

To be applied on top of #19789.

This is the final PR in the chain. Fixes #17257.

---

TODO: Testing:

• Google Storage interaction with gsutil tool. PR: GCP CLI support: add support for gsutil. #20072
• Terraform GCP provider. This works out of the box after configuring Terraform.

---

Setup:

1. Create a service account teleport-service.
2. Assign Service Account User role to the teleport-service account.
3. Deploy Teleport instance to GCP VM. Select teleport-service as a VM account to use. If you cannot select the service account, check that it has appropriate role (see step 2).
4. Create service accounts for users to use, for example:teleport-user-1 and teleport-user-2. Assign desired permissions for these accounts.
5. Grant access for teleport-user-1, teleport-user-2 etc. to teleport-service at least with Service Account Token Creator role. This will allow teleport-service to issue tokens as teleport-user-XXX. More info: https://cloud.google.com/iam/docs/service-accounts#token-creator-role
6. Configure GCP as a Teleport application. cloud: GCP is the critical part of the config.

app_service:
  enabled: "yes"
  apps:
  - name: gcpapp
    cloud: GCP

7. Ensure the user is allowed to use chosen service accounts. If this is a fresh cluster, the access role should contain the snippet below. If not, modify a role the user has access to include a reference to {{internal.gcp_service_accounts}}. You can also hardcode the list of identities in the role itself (not recommended).

spec:
  allow:
    gcp_service_accounts:
    - '{{internal.gcp_service_accounts}}'

10. When using {{internal.gcp_service_accounts}}, the list of allowed roles is sourced from user-specific traits. To update an existing user use tctl users update <username> --set-gcp-service-accounts ID_1,ID_2,ID_3,..., where ID_N is a full name of service account (e.g. teleport-user-1@my-account-123456.iam.gserviceaccount.com )
11. Refresh client login with tsh logout; tsh login --proxy=....
12. Log in to gcpapp app with tsh app login gcpapp [--gcp-service-account ACCOUNT]. The service account is optional if there is just one available. The service account name can be shortened by discarding domain (e.g. teleport-user-1) as long as it doesn't make it ambigous.
13. Run commands with tsh gcloud ..., e.g. tsh gcloud compute instances list.
14. Alternatively, start a proxy with tsh proxy gcloud and follow printed instructions.

Notes:

1. Instead of deploying Teleport to GCP VM, you can download the key for teleport-service service account to your local machine and set the GOOGLE_APPLICATION_CREDENTIALS env variable to its location. This is handful in development, but not recommended for production as the key file can be stolen. Example: GOOGLE_APPLICATION_CREDENTIALS=/path/to/teleport-service-my-account-123456-ee0011223344.json teleport start
2. The setup above assumes Teleport is running as a privileged account teleport-service which is inaccessible to Teleport users.

[GavinFrazar]

Mostly LGTM, but a few things I'd like to address before approving

[Tener]

@smallinsky

Regarding point:

• Terraform GCP provider.

This works out of the box, but Terraform needs to be configured correctly.

Assuming we are running tsh proxy gcp like so:

TELEPORT_GCLOUD_SECRET=my_gcloud_secret tsh proxy gcp --port 3500
Started GCP proxy on http://127.0.0.1:3500.

Use the following credentials and HTTPS proxy setting to connect to the proxy:

  export BOTO_CONFIG=/Users/myuser/.tsh/gcp/teleport.example.com/gcp/bd460f17_boto.cfg
  export CLOUDSDK_AUTH_ACCESS_TOKEN=my_gcloud_secret
  export CLOUDSDK_CONFIG=/Users/myuser/.tsh/gcp/teleport.example.com/gcp/gcloud
  export CLOUDSDK_CORE_CUSTOM_CA_CERTS_FILE=/Users/myuser/.tsh/keys/teleport.example.com/myuser-app/teleport.example.com/gcp-localca.pem
  export CLOUDSDK_CORE_PROJECT=myproject-123456
  export HTTPS_PROXY=http://127.0.0.1:3500

Then we must run Terraform with the following env variables exported:

  export HTTPS_PROXY=http://127.0.0.1:3500
  export GOOGLE_OAUTH_ACCESS_TOKEN=my_gcloud_secret

Instead of using GOOGLE_OAUTH_ACCESS_TOKEN the token can be saved in a file as per https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#access_token.

Unlike some other apps, Terraform does not provide explicit support for custom CA certs: hashicorp/terraform#28551.

To make it trust /Users/myuser/.tsh/keys/teleport.example.com/myuser-app/teleport.example.com/gcp-localca.pem we must use platform-specific mechanisms available to Go-based programs. On Linux that can be SSL_CERT_FILE env var, on MacOS security add-trusted-cert. I'm not sure what the preferred mechanism is on Windows.