Paws webidentity

[pjrh-moj]

This uses the new assume_role_with_web_identity function in paws to get the credentials, instead of having a manual curl. It doesn't make any functional difference.

Even if we don't merge this because "why fix something that isn't broken", I'm happy for this to sit here incase it helps us add stuff or fix things later.

Other notes:

• removes the fallback to the "automatic" authentication which used to happen, and instead gives an error about missing ARN or token file (I don't think this will make a difference - but breaking this out as a function might make it easier to add auth methods if the AP changes)
• new reliance on stringr::str_split(aws_role_arn, '/')[[1]][2] giving the username - I assume ARNs don't change format?
• it is weird that the initial sts call in paws needs to have dummy credentials otherwise it doesn't work (see https://github.com/paws-r/paws/issues/512) - the option to use anonymous = TRUE as a parameter in sts isn't available in the version of paws that the AP fetches by default (because it points to an old CRAN repo). So this looks odd, but does seem to work.

[mratford]

Aha! I hadn't realised you could start the sts service anonymously, hence the tortuous curl.

Unfortunately removing the fallback authentication means that this will fail in airflow jobs, which use "normal" AWS authentication rather than web identity. However I've just noticed that release 0.5.2 of paws adds AssumeRoleWithWebIdentity which hopefully will mean we don't need to jump through these hoops - I might have a bash with that now as a Friday afternoon project.

[mratford]

Also no, the ARN won't change format.

[pjrh-moj]

Yes, the guidance makes it sound like it should all “just work” but I couldn’t make it work nicely straight away so I just modified what you had already done. Let me know where you get to, because it would be nice if paws was able to just detect itself what auth is being used without so much manual intervention.