feature: do not require shared state for role policies #5
Description
The current implementation expects that both the S3 proxy and STS proxy know about the roles and how to resolve them.
If the policies are not too big it could make sense to pass the role policy rather than the ARN. This way the S3 proxy just receives the policy that must be met and they don´t need to resolve the roles. This is interesting when there are just a few STS servers but a lot of S3 proxies.
This should however be a configurable option as it sacrifices a bit of security because generated credentials would remain valid their whole lifetime (changing the role permissions wouldn't impact access) and every setup would have to evaluate whether that is an acceptable risk for their use case.