Docs: make IRSA first-class option

[maazghani]

Summary

The Amazon Bedrock docs currently imply that the native Bedrock provider should be configured with static AWS access keys in a Kubernetes Secret, but kagent also supports using the standard AWS credential chain, including IAM roles attached to the agent pod's ServiceAccount (for example, EKS IRSA).

This makes the current docs misleading for Kubernetes users, because the recommended setup is usually workload identity rather than long-lived access keys.

Current problem

The Bedrock provider page currently:

• says the native provider uses IAM credentials
• then immediately walks users through creating a Secret with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
• does not clearly explain that apiKeySecret is optional for Bedrock
• does not show how to use serviceAccountName or serviceAccountConfig.annotations for IAM role-based auth

Expected docs behavior

The Bedrock docs should:

• present IAM role / workload identity as the recommended Kubernetes setup
• keep static access keys as an alternative fallback
• clarify that apiKeySecret is optional for the native Bedrock provider
• include an example using an existing ServiceAccount
• include an example using serviceAccountConfig.annotations for IRSA-style setup
• optionally mention the Helm-level shared ServiceAccount option

Why this matters

Without this clarification, users may:

• create unnecessary long-lived AWS access keys
• assume IAM roles are unsupported
• miss the more secure and more idiomatic Kubernetes deployment pattern

Proposed scope

Update:

• the public Amazon Bedrock provider docs page in the website repo
• any internal/reference docs that still describe Bedrock as access-key-only