Additional IAM roles for Google service accounts

[tronghn]

Some applications use GCP products that require additional roles that grants their Google service account (their identity) access to itself (as a resource), e.g. roles/iam.serviceAccountTokenCreator.

naiserator creates an IAMPolicy that sets up bindings for workload identity. This IAM policy is thus authoriative for the service account. External modifications are overridden by Config Connector.

A possible solution would be to allow applications to opt in for such additional roles and have naiserator assign these via the IAMPolicy resource.

See also https://nav-it.slack.com/archives/C050DP53VPH/p1716977528649729