Enable IAM role-based auth between EC2 and S3

[zekehuntergreen]

related to https://github.com/alephdata/aleph/issues/3185

What

Enables IAM role-based auth by allowing environment variables AWS_KEY_ID and AWS_SECRET_KEY to be left unpopulated. When neither is populated, key_id and secret_key won't be passed to the s3 client constructor which will instead look for credentials in instance metadata.

Why

As described in the issue above, role based auth has a few advantages over user-based auth:

• better security: admins wouldn't need to store, and manage, and rotate secret keys, risking their being compromised.
• more specific access control: only the EC2 instance running Aleph will have access to the archive S3 bucket, rather than any client with the access key

Note: when Aleph is running on docker on an EC2 instance, it might be necessary to increase its launch template's HttpPutResponseHopLimit from the default of 1 to 2 so that instance metadata can be fetched.

[stchris]

Closing as per our discussion in the comments: passing None or "" is enough and boto will handle the proper case for us.