I have created a workload identity pool with a third-party (auth0) provider. I have configured my service account with a domain-wide delegation and have enabled GMAIL API as well. I could generate STS token successfully but while executing mail client it's giving me an error. Previously with the service account approach, I used to provide email as subject to delegate access to the service account. Since I am using workload identity (to eliminate keys), I am getting an error "precondition check failed".

What are the limitations of the Workload Identity federation? Can we access user data(mail/drive files) if we have enabled domain-wide delegation for the service accounts being used for the Workload identity federation?

I am attaching snippet here :

 async function main2(){
     const authClient = google.auth.ExternalAccountClient.fromJSON(jsonConfig);


     authClient.scopes = ['https://www.googleapis.com/auth/gmail.readonly', 
           'https://www.googleapis.com/auth/cloud-platform'];

      const gmail = google.gmail({
         auth: authClient,
         version: 'v1'
       });

      const response = await gmail.users.getProfile({
          userId : 'abc@domain.com'
          });

  console.log(response);
}

JSON config contains client library config. I am using the node.js client library.

My use case is to take these configs from clients(mostly orgs) to access sheets, drive, email of their users.