From 4cef086c00ade69793298abed4acfa9f2e562359 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Mon, 3 Jun 2019 17:28:39 -0700
Subject: [PATCH] Allow to use emails as service accounts on GCP

Fixes smallstep/step#163
---
 authority/provisioner/gcp.go      | 2 +-
 authority/provisioner/gcp_test.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go
index 953ed4c3..eed4e672 100644
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@@ -287,7 +287,7 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
 	if len(p.ServiceAccounts) > 0 {
 		var found bool
 		for _, sa := range p.ServiceAccounts {
-			if sa == claims.Subject {
+			if sa == claims.Subject || sa == claims.Email {
 				found = true
 				break
 			}
diff --git a/authority/provisioner/gcp_test.go b/authority/provisioner/gcp_test.go
index c4a7ac24..47013bdf 100644
--- a/authority/provisioner/gcp_test.go
+++ b/authority/provisioner/gcp_test.go
@@ -213,6 +213,7 @@ func TestGCP_AuthorizeSign(t *testing.T) {
 	p3, err := generateGCP()
 	assert.FatalError(t, err)
 	p3.ProjectIDs = []string{"other-project-id"}
+	p3.ServiceAccounts = []string{"foo@developer.gserviceaccount.com"}
 
 	aKey, err := generateJSONWebKey()
 	assert.FatalError(t, err)