Added support for access tokens in gcpkms

[christoffer-eide]

This PR adds support for access token (via the GOOGLE_CREDENTIALS env var).

If the env var GOOGLE_CREDENTIALS is not set, the gcloud sdk fetches an access token from the instance metadata endpoint http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token.

In our workload on GKE, we don't want to use the access token returned by the metadata endpoint directly. We use this access token to impersonate another service account, which has the minimum of permissions required for the kms decrypt.

There is no facility to set access tokens in sops, only static (long lived) credentials via the credentials file/GOOGLE_CREDENTIALS.