feat: aws auth sdk default chain

[seluard]

Description

This PR updates the AWS authentication handler to support the AWS SDK’s default credential chain, enabling native integration with modern AWS identity providers like IRSA (IAM Roles for Service Accounts) and EKS Pod Identity.

Previously, credentials had to be explicitly provided via config literals. Now, if no credential file is set, the handler automatically falls back to config.LoadDefaultConfig, which supports:

• IRSA (EKS service accounts)
• EKS Pod Identity
• EC2 Instance Profiles
• Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
• Shared credentials files (~/.aws/credentials)

This simplifies AWS deployments and aligns with best practices by avoiding static credentials.
This makes it much easier to deploy the AI Gateway on AWS infrastructure while
following AWS security best practices by avoiding static credentials.

The PR includes:

• Refactored AWS authentication handler to use the default credential chain when no credentials file is provided
• Added example configs for IRSA and EKS Pod Identity
• Updated documentation with setup guides for both methods
• Extended tests to cover the new credential resolution logic
• Update API documentation

Related Issues/PRs (if applicable)

Closes #568

Special notes for reviewers:

The implementation maintains backward compatibility - existing configurations
using credential file literals will continue to work exactly as before. The
default credential chain is only used when CredentialFileLiteral is not provided
(empty/nil).

I've test that Pod Identity association works, but I've not clusters setup with IRSA in place.

When run test locally, seems like some in cmd/aigw are e2e, which leeds to failing, i've disable those locally.

[mathetake]

this is nice!

[seluard]

As I did not put on review yet, I've just force push with rebase before doing it.

[mathetake]

ai-gateway/api/v1alpha1/backendsecurity_policy.go

Line 271 in 7b141fd

// BackendSecurityPolicyAWSCredentials contains the supported authentication mechanisms to access aws.

could you write up a nice documentation comment here on the API as well?

[codecov-commenter]

Codecov Report

❌ Patch coverage is 76.92308% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.28%. Comparing base (0566de3) to head (270a4ae).

Files with missing lines	Patch %	Lines
internal/extproc/backendauth/aws.go	75.75%	4 Missing and 4 partials ⚠️
internal/controller/backend_security_policy.go	60.00%	3 Missing and 1 partial ⚠️

❌ Your project status has failed because the head coverage (78.28%) is below the target coverage (86.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1394      +/-   ##
==========================================
+ Coverage   78.26%   78.28%   +0.01%     
==========================================
  Files         132      132              
  Lines       13328    13349      +21     
==========================================
+ Hits        10431    10450      +19     
- Misses       2257     2258       +1     
- Partials      640      641       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mathetake]

💯 Awesome work!!!