[AWS, Azure] Implement identity bootstrapping

[hausdorff]

The basic idea in our model is that the user will bootstrap infrastructure with the following series of actions:

1. Create an account on one of the major cloud providers.
2. Use the root account to provision the Pulumi identity stack.
3. Once the identity stack is provisioned, we should have a user account for CI on the identity stack. This account has IAM admin permissions -- and ideally nothing else. Set up CI (e.g., using travis CI) to use this account.
4. All groups, policies, roles, as well as many service accounts, and sometimes users, should henceforth be provisioned via PR.
5. Don't use the root account again, ever, unless you need to.

Currently this is already implemented for GCP.