MHR replace GCP SA keys with container ADC for GCP API calls

[doug-lovett]

Issue #: /bcgov/entity#33735

Description of changes:
Outstanding tech debt task. Remove service account keys from the document services GCP cloud run jobs and services.
Use GCP Application Default Credentials (ADC) for container calls to cloud storage (works within the same GCP project).
Retain the configuration with a GCP key for unit testing and running services locally. Remove the requirement to use a key for cloud storage and pub/sub api calls.

SRE has a policy of rotating service account keys every 3 months. Removing the keys from the container configuration removes the need to update the containers and redeploy when the keys change.

• Verify or enable IAM Service Account Credentials API on the project.
• Assign the container service accounts the correct roles: storage admin, pub/sub publisher, and service account token creator.
• Update all MHR jobs that use a GCP SA key.
• Update MHR API service
• Remove environment variable from container configuration.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the PPR license (Apache 2.0).

[bcregistry-sre]

Temporary Url for review: https://bcregistry-assets-dev--pr-2334-wgm77xbl.web.app

[bcregistry-sre]

Temporary Url for review: https://bcregistry-assets-dev--pr-2334-wgm77xbl.web.app