[Feature request] Support IAM roles (default AWS credential chain) for S3 backend

[Rampaf]

Is your feature request related to a problem?

When using S3 (or S3-compatible) storage as the backend, Gokapi currently requires
a long-lived IAM user with a static Access Key ID / Secret Access Key pair.
These credentials must be written into the Gokapi configuration file.

In AWS-hosted deployments (EC2, ECS, EKS, Lambda, etc.) the recommended security
practice is to use IAM roles instead of IAM users, so that:

• No long-lived secrets are stored on disk or in environment variables.
• Credentials are short-lived and automatically rotated by AWS (STS).
• Permissions follow the workload identity (instance profile / IRSA / task role).
• There is no need to create and manage an extra IAM user just for Gokapi.

Today this is not possible because the AWS session is built with
credentials.NewStaticCredentials(awsConfig.KeyId, awsConfig.KeySecret, "")
in internal/storage/filesystem/s3filesystem/aws/Aws.go, and
AwsConfig.IsAllProvided() in internal/models/AwsConfig.go returns false
unless both KeyId and KeySecret are set.

Describe the solution you'd like

Allow Gokapi to use the default AWS credential provider chain when no static
credentials are configured. Concretely:

1. Add an opt-in flag in AwsConfig, e.g. UseIamRole bool (or simply: when
   KeyId and KeySecret are both empty while Bucket and Region are set,
   fall back to the default chain).
2. In createSession(), when that mode is active, build the session without
   Credentials: so the AWS SDK resolves credentials automatically via:
   • environment variables (AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN, ...)
   • shared config / ~/.aws/credentials
   • EC2 instance profile / ECS task role / EKS IRSA (AWS_WEB_IDENTITY_TOKEN_FILE)
3. Update IsAllProvided() so that a configuration with only Bucket,
   Region (and optionally Endpoint) is considered valid when role-based
   auth is selected.
4. Update the setup UI and the documentation (docs/setup.rst) to describe
   the new option and recommend it for AWS-hosted deployments.

A minimal sketch of the session creation change:

func createSession() *session.Session {
    s3Config := &aws.Config{
        Endpoint:         aws.String(awsConfig.Endpoint),
        Region:           aws.String(awsConfig.Region),
        S3ForcePathStyle: aws.Bool(true),
    }
    if awsConfig.KeyId != "" && awsConfig.KeySecret != "" {
        s3Config.Credentials = credentials.NewStaticCredentials(
            awsConfig.KeyId, awsConfig.KeySecret, "")
    }
    // else: let the AWS SDK use the default credential chain
    //       (env vars, instance profile, IRSA, ECS task role, ...)
    return session.Must(session.NewSession(s3Config))
}

Describe alternatives you've considered

• Creating a dedicated IAM user with an access key and rotating it manually —
  works but defeats the purpose of running on AWS-managed infrastructure and
  introduces a long-lived secret that must be protected.
• Injecting temporary STS credentials via environment variables and restarting
  Gokapi periodically — fragile and not how IAM roles are meant to be consumed.

Additional Context

• Affected files:
  • internal/models/AwsConfig.go (IsAllProvided)
  • internal/storage/filesystem/s3filesystem/aws/Aws.go (createSession, Init, IsValidLogin)
  • internal/configuration/setup/ (setup UI / validation)
  • docs/setup.rst (documentation for S3 backend)
• The AWS SDK for Go v1 (already used by Gokapi) supports this natively: just
  omit Credentials from aws.Config and the default chain is used.
• This feature would also benefit users running Gokapi on Kubernetes with
  IRSA, and on ECS/Fargate with task roles.

Thanks for considering!

Impact

• This would be a breaking change to existing setups.