It does indeed seem like adding the IAM roles directly to the federated id principalSet will give the permissions necessary to the application default credentials. This doesn't really answer the question and provide a way to use the service user account to run terraform but it works.