feat(s3): switch schema to use secrets with loader support

This will make applications using `emqx_s3` follow the same
conventions as bridges and support loading secrets from files
at runtime.

apps/emqx_s3/src/emqx_s3_schema.erl

@@ -14,9 +14,6 @@
 -export([translate/1]).
 -export([translate/2]).
 
--type secret_access_key() :: string() | function().
--reflect_type([secret_access_key/0]).
-
 roots() ->
     [s3].
 
@@ -36,13 +33,9 @@ fields(s3) ->
                 }
             )},
         {secret_access_key,
-            mk(
+            emqx_schema_secret:mk(
-                typerefl:alias("string", secret_access_key()),
                 #{
-                    desc => ?DESC("secret_access_key"),
+                    desc => ?DESC("secret_access_key")
-                    required => false,
-                    sensitive => true,
-                    converter => fun secret/2
                 }
             )},
         {bucket,
@@ -148,14 +141,6 @@ desc(s3) ->
 desc(transport_options) ->
     "Options for the HTTP transport layer used by the S3 client".
 
-secret(undefined, #{}) ->
-    undefined;
-secret(Secret, #{make_serializable := true}) ->
-    unicode:characters_to_binary(emqx_secret:unwrap(Secret));
-secret(Secret, #{}) ->
-    _ = is_binary(Secret) orelse throw({expected_type, string}),
-    emqx_secret:wrap(unicode:characters_to_list(Secret)).
-
 translate(Conf) ->
     translate(Conf, #{}).
 

apps/emqx_s3/test/emqx_s3_schema_SUITE.erl

@@ -132,7 +132,7 @@ t_sensitive_config_no_leak(_Config) ->
             Error = #{
                 kind := validation_error,
                 path := "s3.secret_access_key",
-                reason := {expected_type, string}
+                reason := invalid_type
             }
         ]} when map_size(Error) == 3,
         emqx_s3_schema:translate(