[V4] Update signers to handle anonymous credentials

[dscpinheiro]

Description

Reported in the V4 tracker (#3362 (comment)): If a customer's environment is set to assume a role with web identity, the request to STS doesn't include credentials but our SigV4 signer wasn't handling that properly after the SRA changes.

Testing

• Dry-run: DRY_RUN-2ed08959-fb2c-4b95-a703-5ae52229c08f

I also ran the app Martin shared locally, forcing the AssumeRoleWithWebIdentityCredentials provider to run (by setting the AWS_WEB_IDENTITY_TOKEN_FILE environment variable), and confirmed the request was made to STS (instead of throwing a null pointer exception - it still failed because I don't have an OIDC on my account but it reached the service).

Before:

AmazonSecurityTokenServiceClient 33|2025-03-06T00:07:17.695Z|ERROR|NullReferenceException making request AssumeRoleWithWebIdentityRequest to https://sts.us-west-2.amazonaws.com/. Attempt 1. 
--> System.NullReferenceException: Object reference not set to an instance of an object.

After:

AmazonSecurityTokenServiceClient 43|2025-03-06T00:08:28.281Z|ERROR|Error calling AssumeRole for role arn:aws:iam::000000000000:role/ec2-role 
---> Amazon.Runtime.AmazonClientException: Error calling AssumeRole for role arn:aws:iam::000000000000:role/ec2-role
---> Amazon.SecurityToken.Model.InvalidIdentityTokenException: The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)

Types of changes

• Bug fix (non-breaking change which fixes an issue)

License

• I confirm that this pull request can be released under the Apache 2 license