Reconsider the default aws:skipMetadataCheck setting

In #1288 we disabled the metadata check in order to speed Pulumi up.

Unfortunately, this breaks Pulumi when running with an EC2 instance role, meaning lots of scenarios like self hosted CI/CD runners will not work.

It’s possible of course to fix this by setting the environment variable AWS_EC2_METADATA_DISABLED=false or pulumi config set aws:skipMetadataApiCheck false, but the it’s extremely difficult to figure that out unless you inherently know about this setting. This default setting seems to be violating the principal of least surprise and is causing a headache for those users who are setting Pulumi up in CI/CD.

To rectify this, we need to either:

1. Provide concrete information back to the user about how to fix this. This might involve intercepting the AWS SDK calls and injecting information about why they’re getting this information
2. Consider setting the default value back to false

it might be possible to intercept the error message, which currently looks a bit like this:

Error: NoCredentialProviders: no valid providers in chain
    caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
    SharedCredsLoad: failed to load profile, .
    EC2RoleRequestError: no EC2 instance role found
    caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var

But this comes from the AWS SDK, so we’d need to trap the error