Kube config filter by token

[hyperbolist]

• adds --filter-by-token option to kube config command
• renames --filter-prompts option in aws login to --filter-by-token for consistency

Tested stim kube config with every permutation of providing 1, 2 or 3 of --cf, --saf and --filter-by-token.

• fixes an edge case in vault.Filter

Vault's CapabilitiesSelf returns a "path" called capabilities when it receives only a single path in its request. Presumably this is for backward compatibility. It also returns the path with its capabilities, as it would when it returns a list of paths with their capabilities, which is what consumers of vault.Filter expect.

So we just throw away the capabilities "path". Otherwise users would see a dummy capabilities role along with the single expected role on aws login with --filter-by-token when the aws account only has a single role defined, or if their service account filter via --saf narrowed the set of possible roles down to 1.

[hyperbolist]

I believe 26d3c76 addresses all of your stated concerns.