Service account support

[askfongjojo]

The support for service accounts was mentioned originally in #849 but didn't make it to the MVP IAM implementation. The need has come up again based on recent internal/external user requests.

There are a few aspects that distinguish service accounts from regular user accounts:

• shouldn't be allowed to use the web UI
• is strictly tied to an application/service identity (should not be auto-provisioned via IdP?)
• supports frictionless key rotation to allow continuous use

There are probably more to the service account requirements and will need to be further defined/scoped when this feature is being implemented.

[askfongjojo]

@davepacheco pointed us to these RFDs which describe standard-enough ideas that they might still be accurate/relevant:

• https://rfd.shared.oxide.computer/rfd/0043#_service_account
• https://rfd.shared.oxide.computer/rfd/0234