Allow user to set policy and policy_arns in `WebIdentityTokenCred…

…entialsProvider` builder (#3506)

Related PR: #1892

## Motivation and Context
This change allows users to define inline IAM policies and/or set
predefined policies (using their ARNs) with
`WebIdentityTokenCredentialsProvider`

## Description
Adds `policy` and `policy_arns` to `WebIdentityTokenCredentialsProvider`
builder.

## Testing

## Checklist
<!--- If a checkbox below is not applicable, then please DELETE it
rather than leaving it unchecked -->
- [x] I have updated `CHANGELOG.next.toml` if I made changes to the
smithy-rs codegen or runtime crates
- [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS
SDK, generated SDK code, or SDK runtime crates

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

---------

Co-authored-by: ysaito1001 <[email protected]>

CHANGELOG.next.toml

@@ -11,6 +11,12 @@
 # meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}
 # author = "rcoh"
 
+[[aws-sdk-rust]]
+message = "Ability to add an inline policy or a list of policy ARNs to the `WebIdentityTokenCredentialsProvider` builder."
+references = ["smithy-rs#3506"]
+meta = { "breaking" = false, "tada" = true, "bug" = false }
+author = "mokhaled2992"
+
 [[aws-sdk-rust]]
 message = "Make `BehaviorVersion` be future-proof by disallowing it to be constructed via the `BehaviorVersion {}` syntax."
 references = ["aws-sdk-rust#1111", "smithy-rs#3513"]

aws/rust-runtime/aws-config/src/web_identity_token.rs

@@ -64,10 +64,11 @@
 use crate::provider_config::ProviderConfig;
 use crate::sts;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
-use aws_sdk_sts::Client as StsClient;
+use aws_sdk_sts::{types::PolicyDescriptorType, Client as StsClient};
 use aws_smithy_async::time::SharedTimeSource;
 use aws_smithy_types::error::display::DisplayErrorContext;
 use aws_types::os_shim_internal::{Env, Fs};
+
 use std::borrow::Cow;
 use std::path::{Path, PathBuf};
 
@@ -84,6 +85,8 @@ pub struct WebIdentityTokenCredentialsProvider {
     time_source: SharedTimeSource,
     fs: Fs,
     sts_client: StsClient,
+    policy: Option<String>,
+    policy_arns: Option<Vec<PolicyDescriptorType>>,
 }
 
 impl WebIdentityTokenCredentialsProvider {
@@ -150,6 +153,8 @@ impl WebIdentityTokenCredentialsProvider {
         load_credentials(
             &self.fs,
             &self.sts_client,
+            self.policy.clone(),
+            self.policy_arns.clone(),
             &conf.web_identity_token_file,
             &conf.role_arn,
             &conf.session_name,
@@ -163,6 +168,8 @@ impl WebIdentityTokenCredentialsProvider {
 pub struct Builder {
     source: Option<Source>,
     config: Option<ProviderConfig>,
+    policy: Option<String>,
+    policy_arns: Option<Vec<PolicyDescriptorType>>,
 }
 
 impl Builder {
@@ -193,6 +200,31 @@ impl Builder {
         self
     }
 
+    /// Set an IAM policy in JSON format that you want to use as an inline session policy.
+    ///
+    /// This parameter is optional
+    /// For more information, see
+    /// [policy](aws_sdk_sts::operation::assume_role::builders::AssumeRoleInputBuilder::policy_arns)
+    pub fn policy(mut self, policy: impl Into<String>) -> Self {
+        self.policy = Some(policy.into());
+        self
+    }
+
+    /// Set the Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies.
+    ///
+    /// This parameter is optional.
+    /// For more information, see
+    /// [policy_arns](aws_sdk_sts::operation::assume_role::builders::AssumeRoleInputBuilder::policy_arns)
+    pub fn policy_arns(mut self, policy_arns: Vec<String>) -> Self {
+        self.policy_arns = Some(
+            policy_arns
+                .into_iter()
+                .map(|arn| PolicyDescriptorType::builder().arn(arn).build())
+                .collect::<Vec<_>>(),
+        );
+        self
+    }
+
     /// Build a [`WebIdentityTokenCredentialsProvider`]
     ///
     /// ## Panics
@@ -206,13 +238,17 @@ impl Builder {
             fs: conf.fs(),
             sts_client: StsClient::new(&conf.client_config()),
             time_source: conf.time_source(),
+            policy: self.policy,
+            policy_arns: self.policy_arns,
         }
     }
 }
 
 async fn load_credentials(
     fs: &Fs,
     sts_client: &StsClient,
+    policy: Option<String>,
+    policy_arns: Option<Vec<PolicyDescriptorType>>,
     token_file: impl AsRef<Path>,
     role_arn: &str,
     session_name: &str,
@@ -228,6 +264,8 @@ async fn load_credentials(
     let resp = sts_client.assume_role_with_web_identity()
         .role_arn(role_arn)
         .role_session_name(session_name)
+        .set_policy(policy)
+        .set_policy_arns(policy_arns)
         .web_identity_token(token)
         .send()
         .await