Use google default for auth when no service_account_json file specified

[devonh]

This allows the use of various other mechanisms to acquire google application credentials.
See here for more info:
https://cloud.google.com/docs/authentication#auth-decision-tree
https://cloud.google.com/docs/authentication/application-default-credentials

To achieve the same behaviour as specifying service_account_json in the config, set the env var GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json"

Note: This has the downside of applying the same google credentials for all GCM pushers.
If you desire different google credentials for different pushkins running on the same Sygnal instance, setting the service_account_json is the only way to achieve that.

[anoadragon453]

A few questions, but nothing major.

[anoadragon453]

We seem to be trying the service_account_file config option first, before attempting the Application Default Credentials route. This seems counter-intuitive to me, given that environment variables typically trump config options when defined. And we recommend Application Default Credentials over the service_account_file config option.

[devonh]

We only try that option first if the user has explicitly configured it.
I wanted to keep this option to prevent breakages and forcing anyone who is using the existing setup with the v1 api to have to change their deployment method.

The recommendation of using ADC is because google recommends it for security reasons.

[devonh]

We could try the Application Default Credentials route first, but that leads to it trying for ~5 seconds before timing out. I didn't want to make startup longer if you had explicitly configured the service_account_file

[devonh]

After thinking about this more, we need to be able to specify the service account file per pusher. Which means a global environment variable does not fit the bill.
Closing this PR.