GCP: ensure default engine service agent SA can use KMS keys

[pwschuurman]

Ensure the default compute engine service agent SA can use KMS keys. Compute engine has a special service agent account that needs access to cloudkms. This is required for the GCP PDCSI tests to call the GCE instances.insert API, as VMs are created with the Compute Engine default service account. See https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/pull/1762#issuecomment-2195525892

The GCP PDCSI e2e test prowjobs have failed after migrating to use the k8s-infra-prow-build cluster: https://github.com/kubernetes/test-infra/pull/32809

[pwschuurman]

/assign @BenTheElder

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BenTheElder, pwschuurman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[infra/gcp/bash/prow/OWNERS](https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/bash/prow/OWNERS)~~ [BenTheElder] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[BenTheElder]

This is deploying ... will comment again when it's done for the main pool (happens first) and/or when it's totally done.

[BenTheElder]

Main project pool should be good go to now, we can try this in the driver repo now.

(left this unattended and it had a connection issue, I'd invest in built-in retries but I don't think we're likely to be tweaking this often in the future)

Running again to apply to the remaining projects in the other pools.

[BenTheElder]

Running again for the full set.

[BenTheElder]

This is deployed to all projects.