Roles for services, EC2 instance roles, OIDC for GitHub Actions

Machines should never hold long-lived keys. Two patterns make that real, an instance role that EC2 assumes through an instance profile, and an OIDC provider that lets GitHub Actions deploy with credentials that expire in minutes. Both rest on the trust policy, the half of a role that says who may assume it.