legacy-cloud-providers: aws: Add support for consuming web identity credentials

[sjenning]

What type of PR is this?

/kind bug

What this PR does / why we need it:

The in-tree AWS cloud provider currently uses a custom credential chain that does not support using service account tokens to authenticate with the AWS API. Namely the WebIdentityTokenProvider.

This is a pick from the external v1 AWS provider in kubernetes/cloud-provider-aws#238

I am aware that the in-tree legacy cloud providers are not looking to make changes at this point but I wanted to have a discussion about it.

Does this PR introduce a user-facing change?

None

[sjenning]

/sig cloud-provider

[nckturner]

/area provider/aws

[cheftako]

/assign @nckturner
Nick does this look good to you?
Seems like a legitimate bug fix to me.
/lgtm

[cheftako]

/assign

[cheftako]

/priority important-soon

[cheftako]

/triage accepted

[nckturner]

@cheftako agreed, I'd call it a bug fix because not being able to use the "web identity" JWTs in the credential chain is unintended and hampers certain use cases like using bound service account tokens for authentication to AWS when using the legacy provider in KCM.

[nckturner]

/lgtm

[cheftako]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheftako, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/legacy-cloud-providers/OWNERS [cheftako]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment