S3 binary cache: support assumed roles

[JackKelly-Bellroy]

Is your feature request related to a problem? Please describe.
It is not currently possible to use a private S3 binary cache with an assumed IAM role, because STSProfileCredentialsProvider is not in the default credentials resolution chain.

Describe the solution you'd like
Given a profile in .aws/config that sets role_arn and source_profile in a profile foo, have s3://bucket?profile=foo perform an sts:AssumeRole call instead of failing with Access Denied.

Describe alternatives you've considered
A workaround is to create a new key pair in the account holding the bucket, but that means creating and managing more sets of credentials.

[JackKelly-Bellroy]

As a workaround, the bucket policy can allow IAM users in other accounts to access it.

[dhess]

Ugh, I just discovered this issue today myself. We've been configuring our EC2 NixOS instances to use IAM auth to assume a role that can read our private S3 Nix binary cache, and all this time I thought it was working....

At the very least, the docs should be updated to mention this limitation.

[stale]

I marked this as stale due to inactivity. → More info

[JackKelly-Bellroy]

Still relevant, and you're still annoying.

[JackKelly-Bellroy]

I tried wiring the STSProfileCredentialsProvider into the way Nix acquires credentials, but ran into aws/aws-sdk-cpp#1963