Remove AWS keys from environment of containers

[rstata]

Note to students: we have already implemented this feature (see pull #36), which we will be
the lab for Thursday. So this is probably not the best issue to pick up for "hack day." However,
see issue #43 as an extension to this issue.

AWS keys are currently passed into the container environment so Limbo can talk to CloudWatch. These environments can be inspected with the ECS Web UI. A better approach would be to create an IAM Role for these containers with the right set of CloudWatch permissions.

[rstata]

Tried to use roles to make this work: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html

However, ecs-cli up with --instance-role ecsInstanceRole failed with the following message:

FATA[0001] Error executing 'up': ValidationError: Template format error: Unresolved resource dependencies [EcsInstanceProfile] in the Resources block of the template
	status code: 400, request id: 7e07c32e-e494-11e7-bf6c-3ba955bd467f

I tried using the full ARN for the role, the ARN for the associated EC2 instance profile, and a bunch of other things, with no luck. Until someone can figure out what's going wrong, I'm reverting to environment variables. (We need to add CloudWatch permissions to the students.)

We can probably live with this for now. However, anybody with "strong" AWS keys should not use those keys when doing make ecs_start. Instead, everyone should have a set of "student"-grade keys -- which don't have a lot of privs -- and use those for make ecs_start.

[rstata]

Although this doc from above should've worked:

http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html

it turns out it was the wrong instructions to follow. So I followed these instructions:

http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

and they worked as hoped.