Credential chain

[endgame]

Rewrite the authentication code to support something like an explicit "credential chain", in the vein of the official AWS SDKs. The Credentials data type is removed in favour of authentication functions of type Env' withEnv -> m Env or Env -> m Env; that's a function that takes an input Env' (either indifferent to authentication or in the case of sts:AssumeRole, requiring it), and produces a new output Env. This allows library clients much greater control over how they get the first set of access keys - if AWS releases some new way to acquire credentials, it's possible to plug that in much more easily than before.

This PR also breaks up the authentication into a bunch of separate modules. This has the nice side-effect of removing the .hs-boot files which came in when we started supporting sts:AssumeRoleWithWebIdentity.

On the library consumer side, the new Amazonka.Auth.STS.fromAssumedRole makes it easy to spin off a new Env under an assumed role, and the parser for credentials/config files has been rewritten to support many authentication methods supported by the official SDKs.

This also provides a workaround for the VPC issues in #271 - it's possible to write something like newEnv fromDefaultInstanceProfile and have amazonka skip the isEC2 check. (The IMDS client connects by IP; only the isEC2 check uses http://instance-data.)

Migration for most users will be to replace newEnv Discover with newEnv discover.

Recommend reviewing commit-by-commit.

Remaining work:

• Punt logging format discussion to new issue
• Detect infinite loops in config profiles
• Punt de-underscoring field names to new issue
• Mark support for profiles without profile prefix in config as "works, but not supported"
• Fix failure to read credentials when ~/.aws/credentials exists but ~/.aws/config doesn't.

Closes #514
Closes #476
Closes #629

[endgame]

CC:

• @axman6 @lrworth , who helped brainstorm the initial design and pair-program the final changes (thanks very much!),
• @fumieval @K0Te , who were in discussions when the initial version of the sts:AssumeRoleWithWebIdentity code was being hammered out, and may have opinions,
• @lrworth @Unisay , who may also have opinions since they'll need to build atop the new auth stuff as soon as this looks solid.

[endgame]

Question for the floor: would it be worth adding pattern synonyms where there's a compatible new name?

[AlexeyRaga]

I like it.
Things like fromAssumedRole, fromKeysEnv are very useful.

[endgame]

Another question: Should we detect infinite loops in the AWS config files? The other SDKs do, and we probably should.

[ghost]

🤔

[brendanhay]

Changes look good, I like the new design!

[brendanhay]

Another question: Should we detect infinite loops in the AWS config files? The other SDKs do, and we probably should.

We should (eventually) - but I don't think it should get in the way of getting this released.

[endgame]

Another question: Should we detect infinite loops in the AWS config files? The other SDKs do, and we probably should.

We should (eventually) - but I don't think it should get in the way of getting this released.

I think it should be quick (execStateT while traversing the profile stuff), so I'll try to do it on this PR. Most other stuff should be moved into separate issues, which I'll do before merging this.

[ghost]

Just some quick things I noticed while skimming. Nice work man.

[endgame]

Going to leave this bake for a few days longer now that I've updated work code to run on it, but I think there's nothing stopping a merge early next week.

[endgame]

This has been working well for as at work, so I'm going to merge it.