Allow user to override the service account used in jwt signing

[greghutch]

Code currently assumes server@... is used. That may not reflect either our current best practices documentation or what the customer has actually setup.

[bshi]

I can take this, there're some handy helpers in the client library to handle creds holistically (adc/gcloud/etc)