Use CSI TokenRequest for obtaining service account tokens

[dronenb]

Other providers for the Secrets Store CSI driver leverage the CSI driver's (not the provider's) ability to obtain service account tokens for pods that use that CSI driver (see here). This way, the providers nor the driver need the create serviceaccounts/token role.

Code in question:

secrets-store-csi-driver-provider-aws/auth/auth.go

Lines 49 to 62 in b8df495

	func (p authTokenFetcher) FetchToken(ctx credentials.Context) ([]byte, error) {
	// Use the K8s API to fetch the token from the OIDC provider.
	tokRsp, err := p.k8sClient.ServiceAccounts(p.nameSpace).CreateToken(ctx, p.svcAcc, &authv1.TokenRequest{
	Spec: authv1.TokenRequestSpec{
	Audiences: []string{tokenAudience},
	},
	}, metav1.CreateOptions{})
	if err != nil {
	return nil, err
	}
	return []byte(tokRsp.Status.Token), nil
	}

Examples of this from other providers:

https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/blob/main/auth/auth.go#L187-L198

https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/41b07df322b82a56915ba63abb56c16c37730d33/pkg/auth/auth.go#L304-L327

Without this, the AWS provider will continue to be over-privileged.

[jirkafajfr]

Thank you @dronenb, we've noted this as a feature request.