How can I use workload identity federation to call admin sdk apis?

I know I can impersonate service account to call other services, for instance, like cloud storage buckets. But calling admin sdk api, like directory api, is different. Because it is admin feature, it typically needs impersonating to the admin user to use.

The thing is, credential acquired by using federation does not support createDelegated method, hence making it impossible to impersonate.

I've tried to pass the access token acquired from the federation credential to the Google credential, but it didn't help. (simply didn't work out)

Does anybody have any experience regarding this?