OIDC tokens can now restrict which AWS roles they assume
AssumeRoleWithWebIdentity seems to have a new, barely-documented, policy
condition key. It's called sts:RoleAuthorizedByIdp and if you're anything like
me (my condolences), that name will pique your interest. It's not super useful
today (unless you're running an OIDC IdP), but its utility will grow as adoption
improves over time. So here's what I've learned so far.