Design Proposal: IAM Roles Anywhere support in aws request signing extension

[nbaws]

Title: Design for IAM Roles Anywhere support in aws request signing extension

Description:
The following describes the implementation in PR #37193 of support for IAM Roles Anywhere https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html

IAM Roles anywhere is an AWS feature that allows for X509 certificates to be exchanged for temporary IAM credentials, with the result that systems without AWS temporary credentials available (such as on-premises hosts) can call AWS APIs natively.

This PR implements 3 main components:

• IAMRolesAnywhereX509CredentialsProvider: Retrieves X509 certificates, their serial, their signature algorithm and expiry, from an Envoy Datasource. Returns these as a new Credential type, X509Credentials
• IAMRolesAnywhereSigV4Signer: Performs SigV4 algorithm signing of a request to the rolesanywhere service, but with a modified signing algorithm to use X509Credentials.
• IAMRolesAnywhereCredentialsProvider (subclass of MetadataCredentialsProviderBase): Exchanges an X509Credentials for a Credentials, using IAMRolesAnywhereSigV4Signer. Returns temporary credentials via Async HTTP call, in much the same way as InstanceProfile or WebIdentityProvider credentials providers.

The PR adds a new AWS Credential type 'X509Credentials' which is used in the above components for storage of certificates as well as for input into the signing process.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.