Support IAM role chaining for IAM authentication

[heroldus]

Description

The change allows client to configure one or more AWS IAM roles to be assumed before using IAM authentication to connect to a Redshift instance.

Motivation and Context

Sometimes 3rd-party clients like BI tools are not deployed in the same AWS account as the Redshift they should connect to. To allow them to use IAM authentication to connect to the Redshift instance, they need to assume the AWS account of the Redshift cluster first. The setup looks like this:

AWS account A:

• Redshift instance
• AWS IAM role role_a which allows to getCredentials for the Redshift instance and a trust relationship to role_b

AWS account B:

• AWS IAM role role_b which is allowed to assume role_a
• BI tool with assigned instance profile and role_b

With the new plugin, the connection to Redshift inside the BI tool can be configured to assume role_a first to make the IAM authentication work.

Testing

The plugin has been tested in the above setup.

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• Local run of mvn install succeeds
• My code follows the code style of this project
• My change requires a change to the Javadoc documentation
• I have updated the Javadoc documentation accordingly
• I have read the README document
• I have added tests to cover my changes
• All new and existing tests passed
• A short description of the change has been added to the CHANGELOG

License

• By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.