GCP+GWS: Support using ADC service account credentials instead of a service account key

[eriksw]

We have an organization policy disallowing the creation of service account keys and do not want to make an exception for this.

When running the bridge inside Google Cloud Platform, such as by deploying it as a Cloud Run service with a custom service account, the service should be able to obtain temporary credentials for that service account via Application Default Credentials.

What is needed in order to support this and not have to use a service account key? (We would be granting the access to the service account that the bridge is running as.)