Support for AWS External account Web Identity Token File based Authentication

[thebongy]

Currently, authenticating with findDefaultCredentials() in AWS environments with workload identity federation only supports two schemes of authentication on AWS:

• Instance metadata (v1/v2)
• AWS_ACCOUNT_KEY_ID/SECRET environment variable
  (ref: https://github.com/golang/oauth2/blob/master/google/internal/externalaccount/aws.go)

AWS supports another authentication scheme called "WEB_IDENTITY_TOKEN_FILE" which uses oauth2/OIDC to generate temporary AWS credetials. This is commonly used in EKS environments when k8 service accounts are annotated to use an AWS IAM role: (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). It would be great if this SDK also supports this to make the integration in eks based workloads seamless.

[duckie]

This feature is dearly missing for some use cases.

For job based stuff, like Atlantis for instance, or other CI software, you can make do by populating your environment with a call to STS AssumeRoleWithWebIdentity and get a set of tokens for the duration of your job.

But for controllers, such as GCP Secret CSI store, the only way to go is to have a service account long term json credentials.