Support Web Identity Token auth

[mdaniel]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

As best I can tell, there is no support for aws sts assume-role-with-web-identity --role-arn "" --web-identity-token file:///var/secrets/token --role-session-name "" in the new native provider

This flow is meaningful when trying to run the provider from GitHub Actions, GitLab CI, or from inside a Kubernetes Pod which otherwise has live OIDC credentials assigned to it

While it is possible to have some out-of-band process to materialize credentials using that awscli command above and feed those to Pulumi, one can hopefully see that is highly suboptimal. The aws sdks support the environment variables with their obvious names (AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_SESSION_NAME) as seen here so it would be the principal of least surprise for Pulumi's provider to also support them

There seems to be only lightweight support for using env-vars for configuring the provider, so I'm sure an acceptable work-around would be to have aws-native:config:WebIdentityTokenFile and aws-native:config:RoleSessionName in the interim, although for organization-wide usage (such as in GitHub Actions, GitLab CI, etc) doing that stack-by-stack would be a pain versus setting the env-vars that AWS expects

On the off chance it matters: the other team honors it although as best I can tell they get it for free via the use of the aws-sdk-go-v2 import and not because they went out of their way to add it

Affected area/feature

[danielrbradley]

Thanks for filling this issue @mdaniel

I agree this would be a good additional option to support. We are also using the aws-sdk-go-v2 library so this should only require a small amount of extra code to allow this option to be used.