PYTHON-3942 Enable AzureKMS through AWS Secrets Manager

[blink1073]

• Allows AzureKMS credentials to be pulled from AWS Secrets Manager using the instance profile credentials on the EVG hosts.
• Removes the Key Vault Crypto User role as part of teardown, if AZUREKMS_SCOPE is set. We were adding orphaned roles to the key vault.
• Passing build: https://spruce.mongodb.com/task/mongo_python_driver_testazurekms_variant_testazurekms_task_patch_9b6f2e18cfcdf56ad2afc988246060c4d20e11b8_65160838e3c331a022edc469_23_09_28_23_12_00/logs?execution=0
• Passing build with Go Driver using this branch (to show there are no regressions): https://spruce.mongodb.com/task/mongo_go_driver_testazurekms_variant_testazurekms_task_patch_60ded84e486dda6eea4f446d642571489a3ed3d0_6516199557e85ac21791c6f2_23_09_29_00_26_08/logs?execution=0
• Needed for PYTHON-3942 Use MongoDB managed Azure KMS credentials mongodb/mongo-python-driver#1381

[kevinAlbs]

Updated scripts pass with C driver.

Removal of orphaned roles is much appreciated. LGTM.

[NoahStapp]

Could we set this in an environment variable? Not a huge fan of setting even non-secret credentials inside a script.

[blink1073]

There are other places we hard-code ARNs or links in this repo. The intent here was that it should be entirely self-contained without drivers needing to manually update EVG project config, which is part of the reason for having this script in general.

[NoahStapp]

I'd prefer we migrate away form hard-coding ARNs in general, but that's a different discussion entirely. In the context of the existing repo, makes sense.