Support IAM Role based authentication when running from an EC2 instance

[kaii-zen]

Currently, unless I'm missing something, it's impossible. NixOps insists on either accessKeyId being defined in the config (which in turn relies on secrets being present in ~/.aws/credentials) or the environment variables AWS_ACCESS_KEY_ID/EC2_ACCESS_KEY being present.

Boto actually gives you that pretty much for free. You just need to call it without any credentials. Unfortunately the code is littered with those:

self.access_key_id = defn.access_key_id or nixops.ec2_utils.get_access_key_id()
if not self.access_key_id:
    raise Exception("please set ‘deployment.ec2.accessKeyId’, $EC2_ACCESS_KEY or $AWS_ACCESS_KEY_ID")

it would be super nice to have one less secret to worry about 😅