docs: document that the IAM API must be enabled for certain signers

On Demand Rides and Deliveries · copybara-github · commit 7e0579f38209 · 2022-08-24T14:27:16.000-07:00
PiperOrigin-RevId: 469823929
diff --git a/README.md b/README.md
@@ -101,13 +101,16 @@ comes loaded with three predefined Signers which handle the common use cases
 
 Signer                        | GCP Required | Description
 :---------------------------: | :----------: | :---------:
-`DefaultServiceAccountSigner` | Yes          | Signs tokens with the service account running the application. This signer is typically used to sign `FleetEngineTokenType#SERVER` tokens. The service account <b>MUST</b> have the `iam.serviceAccounts.signBlob` permission in order to use this Signer. This is typically acquired through the `Service Account Token Creator` role.
-`ImpersonatedSigner`          | Yes          | Signs tokens by impersonating a different service account. The account hosting the application <b>MUST</b> have the `iam.serviceAccounts.signBlob` permission. This permission is typically acquired through the `Service Account Token Creator` role.
+`DefaultServiceAccountSigner` | Yes          | Signs tokens with the service account running the application. This signer is typically used to sign `FleetEngineTokenType#SERVER` tokens. The service account <b>MUST</b> have the `iam.serviceAccounts.signBlob` permission which is typically acquired through the `Service Account Token Creator` role.
+`ImpersonatedSigner`          | Yes          | Signs tokens by impersonating a different service account. The account hosting the application <b>MUST</b> have the `iam.serviceAccounts.signBlob` permission which is typically acquired through the `Service Account Token Creator` role.
 `LocalSigner`                 | No           | Signs tokens with a private key file generated by a given service account. **Storing private key files in any form presents a security risk and should be a last resort.**
 
 Note: GCP Required denotes that the Signer works with applications that are
-hosted on GCP or are otherwise authenticated with GCP. For more information,
-see: https://cloud.google.com/docs/authentication/getting-started.
+hosted on GCP or are otherwise authenticated with GCP. To use Signers that
+require GCP, the
+"[IAM Service Account Credentials API](https://console.cloud.google.com/apis/library/iam.googleapis.com)"
+<b>MUST</b> be enabled in your GCP project the  For more information, see:
+https://cloud.google.com/docs/authentication/getting-started.
 
 ## Using the library
 
