Presigned requests generated by `aws-sdk-go-v2@1.24.1` fail with an `Unauthorized` error

[cPu1]

When building eksctl with the latest release of aws-sdk-go-2, API server requests containing URLs presigned by sts.PresignClient fail with an Unauthorized error.

aws-sdk-go-v2@1.24.1 now adds an extra header amz-sdk-request to the generated request, but this header is not allow-listed by aws-iam-authenticator server running on the control plane. This is likely due to this change which reorders the middleware operations to execute RetryMetricsHeader before Signing.