Request: aws_auth should support specifying an IAM role when fetching executor images from ECR

[dan-lind]

Is there an existing issue that is already proposing this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe it

Since the introduction of support for OIDC-tokens, CircleCI recommends using using OIDC tokens over Access Keys/Secrets.
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

But looking at the docs at
https://circleci.com/docs/private-images/#aws-ecr
we can only specify a key/secret pair when fetching images from private ECR repos

aws_auth:
          aws_access_key_id: $AWS_ACCESS_KEY_ID_PRODUCTION
          aws_secret_access_key: $AWS_SECRET_ACCESS_KEY_PRODUCTION

Describe the solution you'd like

Support specifying a role-arn, similar to the example given here
https://circleci.com/docs/openid-connect-tokens/#adding-aws-to-the-circleci-configuration-file

Teachability, documentation, adoption, migration strategy

This change will allow users to follow security best practices as recommended by CircleCI.

What is the motivation / use case for changing the behavior?

Security. Users shouldn't be forced to use access keys and secrets when the rest of the CircleCI platform supports and recommends using OIDC tokens.

[Will956]

+1 please 🙏