Make AWS credential types more explicit (#4360)

* Make AWS credential types more explicit

The AWS secret engine had a lot of confusing overloading with role
paramemters and how they mapped to each of the three credential types
supported. This now adds parameters to remove the overloading while
maintaining backwards compatibility.

With the change, it also becomes easier to add other feature requests.
Attaching multiple managed policies to IAM users and adding a policy
document to STS AssumedRole credentials is now also supported.

Fixes #4229
Fixes #3751
Fixes #2817

* Add missing write action to STS endpoint

* Allow unsetting policy_document with empty string

This allows unsetting the policy_document by passing in an empty string.
Previously, it would fail because the empty string isn't a valid JSON
document.

* Respond to some PR feedback

* Refactor and simplify role reading/upgrading

This gets rid of the duplicated role upgrade code between both role
reading and role writing by handling the upgrade all in the role
reading.

* Eliminate duplicated AWS secret test code

The testAccStepReadUser and testAccStepReadSTS were virtually identical,
so they are consolidated into a single method with the path passed in.

* Switch to use AWS ARN parser

builtin/logical/aws/backend.go

@@ -3,6 +3,7 @@ package aws
 import (
 	"context"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/hashicorp/vault/logical"
@@ -34,10 +35,9 @@ func Backend() *backend {
 		Paths: []*framework.Path{
 			pathConfigRoot(),
 			pathConfigLease(&b),
-			pathRoles(),
+			pathRoles(&b),
 			pathListRoles(&b),
 			pathUser(&b),
-			pathSTS(&b),
 		},
 
 		Secrets: []*framework.Secret{
@@ -54,6 +54,9 @@ func Backend() *backend {
 
 type backend struct {
 	*framework.Backend
+
+	// Mutex to protect access to reading and writing policies
+	roleMutex sync.RWMutex
 }
 
 const backendHelp = `