Update container credentials method to use a different mount path

[philljie]

Description of changes:
Update container credentials method to use a different mount path than the STS AssumeRoleWithWebIdentity method. Prior this change, both methods will use the same mount path for the service account token. However, this approach may cause confusions during migration from the AssumeRoleWithWebIdentity method to the Container credentials method.

Suppose user has the following AWS config file, which would signal SDK to use the AssumeRoleWithWebIdentity method.

[profile my_profile]
role_arn = arn:aws:iam::11111111:role/my-cool-role
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token

When the container credentials method is enabled for the service account, the audience of the token in/var/run/secrets/eks.amazonaws.com/serviceaccount/token will be set to pods.eks.amazonaws.com rather than sts.amazonaws.com, and thus STS will return InvalidIdentityToken.

A separate mount path is helpful because

1. Removes the invalid call to STS
2. Make it explicit that the token is not sharable between the two methods.

Testing:
Mutated pod spec before this change

spec:
  containers:
  - args:
    - while true; do sleep 5; done
    command:
    - /bin/bash
    - -c
    - --
    env:
    - name: AWS_DEFAULT_REGION
      value: us-west-2
    - name: AWS_REGION
      value: us-west-2
    - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
      value: http://169.254.170.23/v1/credentials
    - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
      value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    image: public.ecr.aws/eks-distro-build-tooling/builder-base:latest
    imagePullPolicy: Always
    name: test-container
    ...
    volumeMounts:
    - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
      name: aws-iam-token
      readOnly: true
  ...
  volumes:
  - name: aws-iam-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: pods.eks.amazonaws.com
          expirationSeconds: 86400
          path: token

Mutated pod spec after this change

spec:
  containers:
  - args:
    - while true; do sleep 5; done
    command:
    - /bin/bash
    - -c
    - --
    env:
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: regional
    - name: AWS_DEFAULT_REGION
      value: us-west-2
    - name: AWS_REGION
      value: us-west-2
    - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
      value: http://169.254.170.23/v1/credentials
    - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
      value: **/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token**
    image: public.ecr.aws/eks-distro-build-tooling/builder-base:latest
    imagePullPolicy: Always
    name: test-container
...
    volumeMounts:
    - mountPath: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount <----- Change #1a
      name: eks-pod-identity-token <----- Change #1b
      readOnly: true
...
  volumes:
  - name: eks-pod-identity-token <----- Change #2
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: pods.eks.amazonaws.com
          expirationSeconds: 86400
          path: eks-pod-identity-token <----- Change #3

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.