Make derive_ses_smtp_password.py more naturally scriptable

[dannyroberts]

https://dimagi.atlassian.net/browse/SAAS-19728

Replaces the --secret <secret> argument (an anti-pattern: secrets on the command line leak into shell history and ps) with a positional file argument that accepts a path or - for stdin. Adds a --csv flag that interprets the input as the access-keys CSV that AWS provides for download, so you can pipe / pass that file directly without preprocessing.

Before

SES_SECRET=$(cat ${CREDENTIAL_FILE} | head -n2 | tail -n1 | cut -d',' -f2)
./scripts/aws/derive_ses_smtp_password.py --region us-east-1 --secret ${SES_SECRET}

After

./scripts/aws/derive_ses_smtp_password.py --region us-east-1 --csv /path/to/iam_user_name_accessKeys.csv
# or
cat /path/to/iam_user_name_accessKeys.csv | ./scripts/aws/derive_ses_smtp_password.py --region us-east-1 --csv 
# or (with just the bare secret in the clipboard)
pbpaste | ./scripts/aws/derive_ses_smtp_password.py --region us-east-1 -

Test plan

Tested the following manually against a real (now-expired) access key before and after the change to make sure the output was in all cases the same as it was previously:

• Bare secret with a file
• Bare secret via stdin (-)
• --csv with a file
• --csv via stdin

I also checked that our internal documentation pointing to this command references the comment in this file and does not provide its own instructions, so it does not need to be updated.