Allow to use emails as service accounts on GCP

Fixes smallstep/step#163

authority/provisioner/gcp.go

@@ -287,7 +287,7 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
 	if len(p.ServiceAccounts) > 0 {
 		var found bool
 		for _, sa := range p.ServiceAccounts {
-			if sa == claims.Subject {
+			if sa == claims.Subject || sa == claims.Email {
 				found = true
 				break
 			}

authority/provisioner/gcp_test.go

@@ -213,6 +213,7 @@ func TestGCP_AuthorizeSign(t *testing.T) {
 	p3, err := generateGCP()
 	assert.FatalError(t, err)
 	p3.ProjectIDs = []string{"other-project-id"}
+	p3.ServiceAccounts = []string{"foo@developer.gserviceaccount.com"}
 
 	aKey, err := generateJSONWebKey()
 	assert.FatalError(t, err)