Currently, STS support requires an IAM user with static credentials to be provided in order to assume a role for S3 access. Customers in secure environments often disallow IAM users in favor of a web identity solution for workloads running on top of OpenShift such as Quay (see PROJQUAY-5850 for a broader effort around CCO credentials).

However, it would be useful for customers to be able to use their own managed web identities (such as IRSA service account annotations) for authentication outside of the management of CCO. This would also be foundational work required for PROJQUAY-5850.

See this upstream PR for suggested implementation from a customer: https://github.com/quay/quay/pull/3670