Extend LUCI_CONTEXT["local_auth"] protocol to understand accounts.

common/auth/auth.go

Index: common/auth/auth.go
diff --git a/common/auth/auth.go b/common/auth/auth.go
index 485e4d8d295d176ba71948949fd04a1c29daa73b..042d44bc42848f41652ae721742b4772ccbcac3f 100644
--- a/common/auth/auth.go
+++ b/common/auth/auth.go
@@ -345,19 +345,27 @@ type Options struct {
 // Beware: it may do relatively heavy calls on first usage (to detect GCE
 // environment). Fast after that.
 func SelectBestMethod(ctx context.Context, opts Options) Method {
-	switch {
-	case opts.ServiceAccountJSONPath != "" || len(opts.ServiceAccountJSON) != 0:
+	// Asked to use JSON private key.
+	if opts.ServiceAccountJSONPath != "" || len(opts.ServiceAccountJSON) != 0 {
 		if opts.ServiceAccountJSONPath == GCEServiceAccount {
 			return GCEMetadataMethod
 		}
 		return ServiceAccountMethod
-	case lucictx.GetLocalAuth(ctx) != nil:
+	}
+
+	// Have a local auth server and an account we are allowed to pick by default.
+	// If no default account is given, don't automatically pick up this method.
+	if la := lucictx.GetLocalAuth(ctx); la != nil && la.CanUseByDefault() {
 		return LUCIContextMethod
-	case opts.GCEAllowAsDefault && metadata.OnGCE():
+	}
+
+	// Running on GCE and callers are fine with automagically picking up GCE
+	// metadata server.
+	if opts.GCEAllowAsDefault && metadata.OnGCE() {
 		return GCEMetadataMethod
-	default:
-		return UserCredentialsMethod
 	}
+
+	return UserCredentialsMethod
 }
 
 // AllowsArbitraryScopes returns true if given authenticator options allow