Rewrite aws_auth_login{} to use all conventional AWS authentication options

[timsolovev]

Description

Closes #1808, #1672
Relates to #1086

A re-implementation of AWS authentication with aws-sdk-go-v2 to perform authentication flow as closely as possible to Terraform AWS Provider.
Naturally, this change required me to completely cut out awsutil as it introduced its own logic of credential precedence that couldn't be worked around. All functions related to request construction and signing, as well as region resolution were implemented to mimic the original behaviour as closely as possible.

Support matrix for different credential sources in the order of precedence:

Credential Source	Old	New
Static credentials (access key, secret, token via provider config or env vars)	Partial, aws_role_arn ignored	Full
Static credentials (credentials file)	Partial, aws_role_arn ignored	Full
AWS Profile with assume-role (source_profile + role_arn in config)	No	Full
AWS SSO-based Profile	No	Full
Web Identity (IRSA / OIDC via AWS_ROLE_ARN + AWS_WEB_IDENTITY_TOKEN_FILE)	Yes	Full
ECS/CodeBuild Task Role (container credentials)	Partial, aws_role_arn ignored	Full
EC2 Instance Profile (IMDS)	Partial, aws_role_arn ignored	Full

In this implementation, auth_login_aws {} supports all these authentication methods and always assumes the role if it's available from one of the sources. It now also supports loading parameters such as aws_role_arn and region from the shared credentials/web identity.

For example, role will selected in the order of precedence:

• Explicit auth_login_aws { aws_role_arn = <role_arn> } in provider configuration
• $AWS_PROFILE
• (If applicable) aws_role_arn supplied with shared credentials/web identity token.

User-facing changes

• Previously, excessive configurations that used aws_profile with SSO profiles or provided aws_role_arn with static credentials were not validated, these options were quietly ignored. Now, these combinations will actually have an effect. If auth_login_aws.aws_role_arn or $AWS_ROLE_ARN are present, the provider will always attempt to assume that role using first available credentials in the order of precedence.

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

❯ make testacc TESTARGS='-run=TestAccProviderAuthLoginAWS'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run=TestAccProviderAuthLoginAWS -timeout 30m ./...
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
ok      github.com/hashicorp/terraform-provider-vault/codegen   (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/consts   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/base   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/client [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/errutil        [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/model  [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/framework/validators     (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/internal/identity/entity  (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/group   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/mfa     [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/pki      [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/provider (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/internal/provider/fwprovider      [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/providertest     [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/rotation [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/sync     [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/vault/secrets/ephemeral  (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/internal/vault/sys        (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
ok      github.com/hashicorp/terraform-provider-vault/testutil  (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/util      (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/util/mountutil    (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/vault     (cached) [no tests to run]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

[hashicorp-cla-app]

All committers have signed the CLA.