Add GCP support

[ryan-lane]

With the addition of GCP's Cloud KMS API it should be possible to natively support Confidant in GCP. There's a few major differences between GCP's KMS and AWS's KMS, though:

1. Though GCP's KMS support AAD through encrypt/decrypt, GCP's IAM does not support restricting access based on the AAD.
2. GCP's KMS has no quota on the number of keys, just on the number of operations. Also, each key can have IAM policy attached to it.
3. GCP's KMS has no random function.
4. GCP's KMS does not support functions like create data key. To do envelope encryption it's necessary to generate random data from the VM's urandom, and then encrypt that random data. We can't seed urandom using KMS. It's possible the entropy will be lower in GCP.
5. GCP's KMS does not have grants, but using a key per service would be analogous to how we use grants.

The differences between AWS's KMS and GCP's KMS mostly affect how we do service to service authentication. For service to service auth, we'd need to rely on a crypto key per service, rather than relying on encryption context for data on a single key. At-rest encryption should be possible with few modifications.

For data storage we'd need to support something other than DynamoDB. The likely replacement is datastore.