Inject in AWS credential provider

[mattbates]

In an earlier version of a project that preceded spiffe-enable, we had an AWS credential provider.

I propose we inject in this provider in the presence of a role ARN in a spiffe.cofide.io annotation. The provider is a sidecar that interacts with AWS (STS) to obtain a short-lived IAM token.

We should work out if we wish to ship this in a single build of spiffe-enable or whether there is a case to build platform-specific distributions (eg spiffe-enable-aws) so as to not bloat the binary and increase the potential attack surface.

[markgoddard]

Does spiffe-enable itself need to interact with the platform, or would it be the sidecar? Potentially we could provide platform-specific sidecars and a single portable spiffe-enable?

[mattbates]

Potentially we could provide platform-specific sidecars and a single portable spiffe-enable?

👌 yes that'd be the pattern.