have ccoctl stop accepting CredentialsRequests w/o ServiceAccounts

To ease writing ccoctl while waiting for all the in-cluster CredentialsRequests to start including their ServiceAccount details, ccoctl will just fill in a less-secure 'audience' field for the trust policy for the created IAM Roles in the absence of a ServiceAccount name.

As the ServiceAccount names provide for better Role isolation, remove ccoctl's ability to process CredentialsRequests without ServiceAccount name(s).

https://github.com/openshift/cloud-credential-operator/blob/master/pkg/cmd/provisioning/aws/create-iam-roles.go#L237-L240