s3: support backup with session token and assume role (#15722)

[ti-chi-bot]

This is an automated cherry-pick of #15722

What is changed and how it works?

Issue Number: Close pingcap/tidb#39832
Issue Number: Close #15781

What's Changed:

1. support retrive session-token from input.
2. support assume role with role-arn and extrenal-id and keep the same behavior with tidb side.

 s3: support backup with session token and assume role

Related changes

• PR to update pingcap/docs/pingcap/docs-cn:
• Need to cherry-pick to the release branch

Check List

Tests

• Manual test (add detailed scripts or steps below)

session-token:

1. set env of token.

export AWS_ACCESS_KEY_ID="xxx"
export AWS_SECRET_ACCESS_KEY="yyy"
export AWS_SESSION_TOKEN="zzz"

2. do a full backup and check backup data in s3.

role-arn:

1. prepare two AWS account (A, B).
2. create a bucket in account A.
3. create a role for this bucket in account A.
4. create a trust relationship in account A for account B to assume above role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNTB:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "test-external-id"
                }
            }
        }
    ]
}

run backup with role-arn and external-id.

Side effects

• Performance regression
  • Consumes more CPU
  • Consumes more MEM
• Breaking backward compatibility

Release note

support backup and restore with session token and assume role.

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has not been approved.

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[ti-chi-bot]

This cherry pick PR is for a release branch and has not yet been approved by triage owners.
Adding the do-not-merge/cherry-pick-not-approved label.

To merge this cherry pick:

1. It must be approved by the approvers firstly.
2. AFTER it has been approved by approvers, please wait for the cherry-pick merging approval from triage owners.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kennytm]

Since this is a new feature, we are not going to cherry-pick to past releases. Please upgrade TiKV to v8.0 or above to use STS.