Add conditional endpoint resolver for AWS KMS

[euanhume]

Summary

This PR introduces a conditional check within the endpoint resolver to specifically target the AWS Key Management Service (KMS). Currently, when using Security Token Service (STS), an 'unknown command' error occurred due to the STS action being inadvertently directed to the KMS endpoint defined in the user's configuration. This update ensures that KMS requests are appropriately routed to the custom endpoint specified by the user, while STS and other AWS services continue to utilise their default endpoints.

Release Note

Bug fix for 1175

Documentation

N/A does not require a change to documentation.

[haydentherapper]

Thanks @euanhume! Have you been able to use this locally and confirm that it's working as expected?

[euanhume]

Thanks for your reply @haydentherapper. I attempted to test via localstack yesterday but unfortunately I am struggling to re create the conditions of my environment - it seems the paid version is required to enable IAM.

For more information, I'm using an AWS VPC endpoint to connect to where my AWS KMS key resides for my awskms://[ENDPOINT]/ configuration in Rekor. Because this AWSClient is setting the endpoint for as the VPC endpoint for all AWS services, the STS AssumeRole operation is failing as the default endpoint for STS (https://sts.amazonaws.com) is overwritten by my VPC endpoint. I'd be grateful if you have suggestions on how I could progress this?

[haydentherapper]

Could you rebuild Cosign locally with this change incorporated? I don't have any suggestions on how to set up AWS to test this out though.
The only thing I'm not sure about is the behavior of the client when returning aws.Endpoint{} without a URL set.