feat: defines google.auth.aws.Credentials used for AWS workloads (#625

)

This will subclass the abstract class `google.auth.external_account.Credentials` and will compute subject tokens as follows:

- Retrieve AWS region from either `AWS_REGION` envvar or AWS metadata server `availability-zone`.
- Check AWS credentials in environment variables:
  - `AWS_ACCESS_KEY_ID`
  - `AWS_SECRET_ACCESS_KEY`
  - `AWS_SESSION_TOKEN`.

  If not found, get from AWS metadata server `security-credentials` endpoint.
- Get AWS credentials from AWS metadata server `security-credentials` endpoint.
  In order to retrieve this, the AWS role needs to be determined by calling
  `security-credentials` endpoint without any argument. Then the
  credentials can be retrieved via: `security-credentials/role_name`
- Generate the signed request to AWS STS `GetCallerIdentity` action.
- Inject `x-goog-cloud-target-resource` into reformatted header and serialize the
  signed request. This will be the subject-token to pass to GCP STS.

CHANGELOG.md

@@ -4,6 +4,13 @@
 
 [1]: https://pypi.org/project/google-auth/#history
 
+### [1.22.1](https://www.github.com/googleapis/google-auth-library-python/compare/v1.22.0...v1.22.1) (2020-10-05)
+
+
+### Bug Fixes
+
+* move aiohttp to extra as it is currently internal surface ([#619](https://www.github.com/googleapis/google-auth-library-python/issues/619)) ([a924011](https://www.github.com/googleapis/google-auth-library-python/commit/a9240111e7af29338624d98ee10aed31462f4d19)), closes [#618](https://www.github.com/googleapis/google-auth-library-python/issues/618)
+
 ## [1.22.0](https://www.github.com/googleapis/google-auth-library-python/compare/v1.21.3...v1.22.0) (2020-09-28)