Add EC2 IAM Instance Profile to decryption

[mindriot88]

• allow KMS decrypt to be used via IAM instance credentials.

[mindriot88]

@schattingh first of all thanks very much for working on this, when running eyaml kms from within aws this is the correct authentication mechanism to be using.

I have been trying out your patch, it works well in our case were we are using kms to decrypt our eyaml secrets during a packer build pipeline, hence the addition in this PR.

Once your happy with your implementation do you mind submitting this back to https://github.com/adenot/hiera-eyaml-kms ? as this I think would be useful for many others.

[schattingh]

Thanks @mindriot88 , I should get some time to complete testing this over the next few days and will then be submitting a PR.

[schattingh]

@mindriot88 I have tested this further and found that my changes are not required in order to use EC2 IAM Instance Profiles. The SDK tries the IAM Instance Profile credentials if a profile is not configured. Tested with both encryption and decryption, confirmed by monitoring CloudTrail to check the InstanceID was appearing in the logs as the username.

So won't be submitting my changes, but may submit a clarification in the documentation.