Add support for GCE "Service Accounts" as resources

[mdallali]

Based on the nixops manual, GCP service accounts are not a resource that can be created/managed by nixops.

Google Service Accounts are IAM resources that can allow GCP VMs to be identified/authenticated by (Creating and Enabling Service Accounts for Instances). They are the AWS IAM roles equivalents in GCP.

It would be helpful if this feature can be added.

Use case would be :

1. Being able to create a gce service account with nixops. -- Creating and Managing Service Accounts
2. Being able to assign roles to the Service account (e.g. Storage Admin) -- Granting Roles to service accounts
3. Being able to launch an instance with that service account attached to it -- Creating and Enabling Service Accounts for Instances
4. Make sure the instance scope is in accordance with the role of the Service Account (e.g. when Service account has R/W access to a gs bucket, instance Storage scope should also be R/W) -- Creating and Enabling Service Accounts for Instances

Side note : this is not to be confused with the already existing serviceAccount attribute that we use in nix expressions to specify which Service Account nixops authenticates with to create resources in a given GCE project.