S3A to support delegation tokens where
- an authenticated client can request a token via FileSystem.getDelegationToken()
- Amazon's token service is used to request short-lived session secret & id; these will be saved in the token and marshalled with jobs
- A new authentication provider will look for a token for the current user and authenticate the user if found
This will not support renewals; the lifespan of a token will be limited to the initial duration. Also, as you can't request an STS token from a temporary session, IAM instances won't be able to issue tokens.