Account ID endpoint routing

[dlm6693]

Adds the ability for AWS services to route customers to account ID-specific endpoints. This PR can be reviewed in two parts.

Part 1 (commits 1-2)

Adds account_id as an optional input to Credentials, RefreshableCredentials and ReadOnlyCredentials. It is also added to DeferredRefreshableCredentials as an internal variable.

It is resolved to a non-null value when possible in a number of supported credential providers:

• AssumeRoleProvider/AssumeRoleWithWebIdentityProvider: parsed from AssumedRoleUser.Arn in assume role response.
• SSOProvider: sourced from sso_account_id profile parameter in AWS config file
• EnvProvider: sourced from AWS_ACCOUNT_ID environment variable
• ConfigProvider: sourced from aws_account_id profile parameter in AWS config file
• SharedCredentialsProvider: sourced from aws_account_id profile parameter in AWS shared credentials file
• ProcessProvider: sourced from AccountId parameter returned in credential process response or aws_account_id profile parameter if the former isn't available.

It can also be configured statically to a botocore client via the aws_account_id arg in Session.create_client or the account_id arg in Session.set_credentials

Part 2 (commits 3-4)

Adds the config setting account_id_endpoint_mode and used during endpoint resolution. When enabled and configured in a service's ruleset, the endpoint resolver will attempt to resolve AccountId as an input parameter to the endpoint provider.

• Account ID is treated as an endpoint builtin parameter Aws::Auth::AccountId defaulting to None. If the config setting is enabled, the parameter is configured in the ruleset and the builtin hasn't been set during the before-endpoint-resolution event, account ID will be resolved from credentials.
• valid config settings for account_id_endpoint_mode are preferred, required and disabled (case sensitive). Defaults to preferred if not supplied by a customer.
• Account ID based routing is always disabled for UNSIGNED requests and presigned URLs

Updates since opening the PR

• Account ID based routing is not disabled for presigned URLs
• endpoint builtin resolution is layered through a couple of abstractions. CredentialBuiltinResolver is responsible for actually resolving the account ID value (and future credential builtin values). If/when other types of builtin resolvers are required they will all be passed to EndpointBuiltinResolver. This construct has one public API resolve which is called by the ruleset resolver.

[codecov-commenter]

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (e1c055e) 93.46% compared to head (eccd175) 93.50%.
Report is 22 commits behind head on develop.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #3031      +/-   ##
===========================================
+ Coverage    93.46%   93.50%   +0.04%     
===========================================
  Files           66       66              
  Lines        14007    14129     +122     
===========================================
+ Hits         13091    13212     +121     
- Misses         916      917       +1     

Files	Coverage Δ
botocore/args.py	100.00% <100.00%> (ø)
botocore/config.py	100.00% <ø> (ø)
botocore/configprovider.py	94.78% <ø> (ø)
botocore/credentials.py	98.51% <100.00%> (+0.08%)	⬆️
botocore/exceptions.py	99.56% <100.00%> (+<0.01%)	⬆️
botocore/session.py	97.20% <100.00%> (ø)
botocore/regions.py	92.54% <98.18%> (+0.92%)	⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jonathan343]

Dropping a few comments after a first pass. I can take a deeper look sometime tomorrow.

[nateprewitt]

This test is a little opaque at first glance. We should make it clear that it's setting the account ID on an otherwise unset pair of credentials during refresh. That could be done with a few word docstring and asserting self.creds.account_id is None before mocking.

[dlm6693]

Accessing self.creds.account_id triggers the refresh. I've updated to change the expiry time so we can refresh again and set account ID the second time.

[dlm6693]

Since there is extra work required to trigger a refresh twice in the same test, I refactored to make the unset check a separate test.

[nateprewitt]

Resolving for inclusion at a later date.