Support role chaining in AWS signing filter

[Nevon]

Title: Support role chaining in AWS signing filter

Description:
Currently the AWS signing filter supports a few different ways of getting credentials to use for signing requests. However, as far as I can tell, it does not support role chaining where one set of credentials is used in order to assume another role with which to sign the requests.

In my particular case, I need to configure Envoy as a signing proxy deployed as part of an ECS task, where the identity used to sign requests is not the ECS task role, but another role that the ECS task is able to assume. I would imagine that this would be a new credential provider like AssumeRoleProvider that would in turn receive a credential provider chain from which to get the credentials needed to assume the role as needed.

Relevant Links:

• Role chaining documentation
• Envoy AWS request signing filter credentials documentation

[nbaws]

This seems like a reasonable request. The devil would be in the details for implementing this however, probably some refactoring of the credential caching system to handle the extra layer of redirection.
I'd be happy to take this on but it would be a few months out given the current backlog of fixes for this extension.