feat(auth): add AWS security credentials supplier support

[Linkgoron]

This PR adds a programmatic AWS external account builder that accepts caller-provided AWS region and security credentials. This lets applications delegate AWS credential resolution to the AWS SDK while google-cloud-auth builds the AWS subject token and performs the Google token exchange.

This, hopefully, adds similar behavior to the ones that already exist in the Go, Python or Node SDKs.

Also add supplier-path tests and censor sensitive AWS credential fields in Debug output.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request introduces support for AWS Workload Identity Federation by adding the AwsSecurityCredentialsSupplier trait and the AwsExternalAccountBuilder. It refactors the existing AWS credential resolution logic to support custom suppliers and includes new tests for these features. Review feedback suggests deriving Debug for the new builder to maintain consistency with repository style guides and recommends addressing an inconsistency in ProgrammaticBuilder regarding universe_domain handling.

[dbolduc]

Hey, thanks for the PR. It is probably correct, but we will need some time before we are able to look at it.

• This feature isn't part of our planning cycle.
• External credentials are hard to verify. We will need to invest some time in setting up a test environment.

In the meantime, you can ask your technical account manager / customer engineer for this feature to help us prioritize the work.