Checklist

• I did not find a related open enhancement request.
• I understand that enhancement requests filed in the GitHub repository are by default low priority.
• If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

Would be awesome to be able reference Google-managed service accounts in IAM resources.

for example, if i add a PubSubTopic and use a Customer Managed Encryption key on it, I would like to add a IAMMemberPolicy that just refrences the google managed account so I dont need to hardcode a project number in it.
serviceAccount:service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com

How this could work:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iampolicymember-pubsub-kms
spec:
  memberFrom:
    serviceAccountRef: 
      external:
        googleManaged: gcp-sa-pubsub
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
  resourceRef:
    kind: KMSCryptoKey
    name: kmscryptokey

And that would add serviceAccount:service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com to it automatically without hardcoding the project number

Additional information

https://cloud.google.com/iam/docs/service-agents

gcloud storage service-agent --project=PROJECT_IDENTIFIER

Importance

Will become a blocker as currently in TF i can use a data source to grab thee default service Accounts.