puppet: Only s3_backups_bucket is required for backups.

`s3_backups_key` / `s3_backups_secret_key` are optional, as the
permissions could come from the EC2 instance's role.

docs/production/export-and-import.md

@@ -170,9 +170,9 @@ data includes:
 
   ```ini
   s3_region = # region to write to S3; defaults to EC2 host's region
-  s3_backups_key = # aws public key
-  s3_backups_secret_key =  # aws secret key
-  s3_backups_bucket = # name of S3 backup
+  s3_backups_key = # aws public key; optional, if access not through role
+  s3_backups_secret_key =  # aws secret key; optional, if access not through role
+  s3_backups_bucket = # name of S3 backup bucket
   ```
 
   After adding the secrets, run

puppet/zulip/files/postgresql/env-wal-g

@@ -13,9 +13,9 @@ if [ "$AWS_REGION" = "" ]; then
     fi
 fi
 export AWS_REGION
-AWS_ACCESS_KEY_ID=$(crudini --get "$ZULIP_SECRETS_CONF" secrets s3_backups_key)
+AWS_ACCESS_KEY_ID=$(crudini --get "$ZULIP_SECRETS_CONF" secrets s3_backups_key 2>/dev/null)
 export AWS_ACCESS_KEY_ID
-AWS_SECRET_ACCESS_KEY=$(crudini --get "$ZULIP_SECRETS_CONF" secrets s3_backups_secret_key)
+AWS_SECRET_ACCESS_KEY=$(crudini --get "$ZULIP_SECRETS_CONF" secrets s3_backups_secret_key 2>/dev/null)
 export AWS_SECRET_ACCESS_KEY
 if ! s3_backups_bucket=$(crudini --get "$ZULIP_SECRETS_CONF" secrets s3_backups_bucket 2>&1); then
     echo "Could not determine which s3 bucket to use:" "$s3_backups_bucket"

puppet/zulip/manifests/postgresql_base.pp

@@ -108,10 +108,8 @@ class zulip::postgresql_base {
     }
   }
 
-  $s3_backups_key        = zulipsecret('secrets', 's3_backups_key', '')
-  $s3_backups_secret_key = zulipsecret('secrets', 's3_backups_secret_key', '')
-  $s3_backups_bucket     = zulipsecret('secrets', 's3_backups_bucket', '')
-  if $s3_backups_key != '' and $s3_backups_secret_key != '' and $s3_backups_bucket != '' {
+  $s3_backups_bucket = zulipsecret('secrets', 's3_backups_bucket', '')
+  if $s3_backups_bucket != '' {
     include zulip::postgresql_backups
   }
 }