add s3guard CLI command to generate session keys for an assumed role

the aws cli get-session-token can generate the keys for short-lived session.

I'd like something similar in an s3guard command, e.g. "create-role-keys", which would take the existing (full) credentials and optionally:

• ARN of role to adopt
• duration
• name
• restrictions as path to a JSON file or just stdin
• output format
• whether to use a per-bucket binding for the credentials in the property names generated
• MFA secrets

output formats

• A JCEKS file (with chosen passwd? For better hive use: append/replace entries in existing file); saved through the hadoop FS APIs to HDFS, file:// or elsewhere
• hadoop config XML
• spark properties

The goal here is to have a workflow where you can generate role credentials to use for a limited time, store them in a JCEKS file and then share them in your jobs. This can be for: Jenkins, Oozie, build files, ..