Unable to sign GCS URL with gcloud default login

I am working on a Golang backend and using the cloud.google.com/go/storage library to communicate with our GCS instance. Currently, I am using this library to sign URLs and upload media to our instance. However, I would like to avoid downloading the service account key file and explicitly setting the GOOGLE_APPLICATION_CREDENTIALS environment variable for local development purposes. To achieve this, I followed the referenced documentation to provide my user credentials for ADC.

Uploading media works fine using the new ADC configuration. However, when attempting to sign a URL using the following code snippet:

u, err := client.Bucket(bucket).SignedURL(object, &storage.SignedURLOptions{
		Method:  http.MethodGet,
		Expires: time.Now().Add(365 * 24 * time.Hour),
	})

I receive an error message:

storage: unable to detect default GoogleAccessID: storage: empty client email in credentials

This error message is puzzling since I authenticated using gcloud auth application-default login before executing the code. What could be the problem here, and how can I fix it?

Edit:
I tried to add the --impersonate-service-account flag pointing to a service account with token creation permissions, but that doesn't seem to work either.

Apparently, this issue was resolved in a recent version of cloud.google.com/go/storage (I read about it in a GitHub discussion but can no longer find a link for some reason). You must have a service account attached to sign URLs, and the library is now able to pick up the GoogleAccessID associated with impersonation. After upgrading to v1.29.0 and authenticating using gcloud auth application-default login --impersonate-service-account=<SERVICE_ACCOUNT>, everything seems to work properly. Make sure your user account has the "service account token creator" role assigned to it under the service account.