Vault Agent, GCP auto_auth, GKE & Workload Identity

I’m attempting to use Vault in agent mode with GCP authentication. The config looks something like this:

vault {
    address = "https://our-vault-address:1234"
}
auto_auth {
    method "gcp" {
        mount_path = "auth/gcp/our-gcp-path"
        config = {
            type = "iam"
            role = "flux"
        }
    }
    sink "file" {
        config = {
            path = "/tmp/token"
        }
    }
}

What’s novel is that this is inside a Kubernetes pod, specifically, GKE and is associated with the Google Service Account via a Workload Identity binding.

The above config fails, as it tries to sign a JWT with the a GSA by the name of “default”.

However, if I fetch the proper name by this:

curl -sk --header 'Metadata-Flavor: Google' \
  http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email

And I reconfigure the auth with service_account = "my-real-gsa@project.iam.gserviceaccount.com" then the agent kicks up and works properly.

Am I doing something wrong here in not configuring the agent correctly? Or is this a “bug” in the sense that the agent just doesn’t understand this niche(?) ecosystem so it doesn’t know how to fetch the “right” service account automatically?