Eliminate long-lived IAM access keys.

[sengi]

A few GOV.UK applications are still using long-lived IAM creds (AKIA... access keys) to authenticate to AWS services such as S3. This dates all the way back to when GOV.UK was hosted outside AWS in colo facilities. We shouldn't be using these any more.

We've already dealt with most of the easy cases. The remaining ones are probably just the few apps that use Fog. Fog rolls its own when it comes to authenticating to AWS and doesn't work well with the more modern authentication methods like instance profile and IRSA.

https://github.com/alphagov/content-data-admin/pull/1377 and https://github.com/alphagov/support-api/pull/911 are examples of replacing Fog with the standard AWS client library.

We can then use instance profile creds or IRSA for these apps and get rid of the long-lived keys and the secrets that store them.

[sengi]

~Two~ remaining: specialist-publisher ~and content-data-admin~. (edit: sorry, forgot content-data-admin got done)

[theseanything]

Created a PR to remove Fog from specialist-publisher: https://github.com/alphagov/specialist-publisher/pull/2575

[theseanything]

I think dependency of Fog has also been removed from content-data-admin: https://github.com/alphagov/content-data-admin/pull/1377