Add initial support assume role credential resolver

[arandito]

Important

This PR adds a standalone Assume Role credential resolver that can only be used programmatically. We do not currently support reading from a shared AWS config file and do not have a mechanism to create profile-based credential providers in the default chain. Once both land, users will be able to configure assume role credentials from their shared config file. However, this will immediately unblock anyone wishing to use assume role credentials.

Description

This PR adds an Assume Role credentials resolver the Smithy Python runtime that allows clients to source credentials from the Amazon Security Token Service (STS) using the AssumeRole API.

Changes

• Introduces AssumeRoleCredentialsResolver in the identity module of the smithy-aws-core package
• Executes an async STS Assume Role call using credentials resolved from a nested source_resolver that must be of the AWSCredentialsResolver type. It then converts the API output shape into an AWSCredentialsIdentity.
• Reuses cached credentials when they are still valid and refreshes them when credentials have expired.
• Supports MFA-protected roles via an optional mfa_serial and an async mfa_code_provider callback. The callback is invoked on every assume so a fresh, single-use token code is supplied on each credential refresh.
• Adds a generated, trimmed nested STS client under _private/nested_clients/aws_sdk_sts/ that includes only the AssumeRole operation, exposed behind a new [assume-role] package extra that pulls in smithy-xml for the awsQuery protocol.

Testing

• Added unit test coverage for resolver behavior
• Tested E2E with aws-sdk-bedrock-runtime client.
  • Confirmed AssumeRoleCredentialResolver uses nested resolver to sign AssumeRole request
  • Confirmed multiple roles can be chained

Testing script:

import asyncio

from aws_sdk_bedrock_runtime.client import BedrockRuntimeClient
from aws_sdk_bedrock_runtime.config import Config
from aws_sdk_bedrock_runtime.models import ContentBlockText, ConverseInput, Message
from smithy_aws_core.identity import EnvironmentCredentialsResolver
from smithy_aws_core.identity import AssumeRoleCredentialsResolver


async def main():
    resolver = AssumeRoleCredentialsResolver(
        source_resolver=EnvironmentCredentialsResolver(),
        role_arn="arn:aws:iam::REDACTED:role/TestAssumeRole",
    )
    resolver2 = AssumeRoleCredentialsResolver(
        source_resolver=resolver,
        role_arn="arn:aws:iam::REDACTED:role/TestAssumeRole2",
    )
    client = BedrockRuntimeClient(
        config=Config(
            endpoint_uri="https://bedrock-runtime.us-west-2.amazonaws.com",
            region="us-west-2",
            aws_credentials_identity_resolver=resolver2,
        )
    )
    response = await client.converse(
        ConverseInput(
            model_id="us.anthropic.claude-opus-4-8",
            messages=[
                Message(
                    role="user",
                    content=[ContentBlockText(value="Tell me a joke.")],
                )
            ],
        )
    )
    print(response)


asyncio.run(main())

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.