spread/google: add support for service accounts

[bboozzoo]

Add support for attaching service accounts to the instances created in GCP.

And we can now automatically get access to Ubuntu Pro features (if your account permits it):

google:ubuntu-pro-22.04-64 .../mini/hello# pro status
SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
fips-preview     yes       disabled     Preview of FIPS crypto packages undergoing certification with NIST
fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
livepatch        yes       enabled      Canonical Livepatch service
usg              yes       disabled     Security compliance and audit tools

For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>

                Account: snapd-spread
           Subscription: snapd-spread
            Valid until: Fri Dec 31 00:00:00 9999 UTC
Technical support level: essential

[bboozzoo]

@thp-canonical @sergiocazzolato @ZeyadYasser I have reworked this a bit, please have a look. The backend level field was confusing and I've changed this completely. Since there is no reasonable scenario in which the service account would use a different 'email' address than one in the key, the actual value gets derived from the authentication key. The process is identical to what golang.org/x/oauth2/google package does. Now, a system level property governs whether you want to attach a service account to an instance or not. This distinctions is still needed, as the IAM role assined to the account may not permit to attach service accounts, and so just attempting to attach it by default one would not be able to create any instances if the permissions scope was intentionally limited.