Summary

• When `access-key` / `secret-key` are left blank, fall back to the AWS `DefaultCredentialsProvider` chain so that deployments on EC2, ECS, and EKS can authenticate via instance profile, task role, or IRSA without static credentials.
• Fully backward compatible — existing deployments with static credentials are not affected.

Changes

• Extract `buildCredentialsProvider()` in `S3StorageService`: uses `StaticCredentialsProvider` when keys are set, `DefaultCredentialsProvider` otherwise.
• Add `software.amazon.awssdk:sts` dependency (required for EKS Web Identity Token / IRSA).
• Add unit tests for credential provider selection (static keys, blank keys, null keys, partial keys).
• Update storage-spi docs (zh + en) and `.env.release.example` with IAM auth usage.

Validation

• Backend tests passed (`mvn test -pl skillhub-storage -am` — 20 tests, 0 failures)
• Full project compile passed (`mvn compile -pl skillhub-app -am` — all 7 modules)
• Verified `DefaultCredentialsProvider` resolves env var credentials correctly
• Verified graceful error when no credentials are available (no NPE, clear error message)
• Frontend typecheck/build passed — no frontend changes
• OpenAPI SDK regenerated or checked — no API contract changes

Commands run:

```bash

Unit tests

docker run --rm -v ./server:/workspace -w /workspace maven:3.9-eclipse-temurin-21
mvn test -pl skillhub-storage -am --batch-mode

Full compile

docker run --rm -v ./server:/workspace -w /workspace maven:3.9-eclipse-temurin-21
mvn compile -pl skillhub-app -am --batch-mode
```

Risk

• User-facing impact: None for existing users. New capability for AWS IAM users.
• Deployment or migration impact: None. Existing env vars continue to work as-is.
• Rollback approach: Revert this commit. No data migration needed.

Notes

• Related issue: N/A
• Follow-up work: None
• Docs updated: `storage-spi.md` (zh + en), `.env.release.example`