Support custom STS endpoint for AssumeRoleWithWebIdentity on non-AWS S3 backends

[harksin]

Problem

sccache supports AssumeRoleWithWebIdentity via AWS_ROLE_ARN + AWS_WEB_IDENTITY_TOKEN_FILE, but the STS endpoint is resolved from the AWS region (sts.{region}.amazonaws.com). There is no way to configure a custom STS endpoint.

This means OIDC-based authentication is effectively unusable with S3-compatible backends (like Ceph RGW) that implement their own STS API.

Context

Both Ceph RGW (https://docs.ceph.com/en/latest/radosgw/STS/) and MinIO (https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html) fully support

AssumeRoleWithWebIdentity with OIDC providers like Keycloak. The only missing piece is sccache's ability to point the STS call at a custom endpoint.

Today, the only viable auth method for non-AWS S3 is static credentials (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY), which prevents using short-lived OIDC tokens, a requirement in zero-trust / credential-rotation environments.

Proposed solution

Add a new configuration option for a custom STS endpoint:

• Environment variable: SCCACHE_S3_STS_ENDPOINT (or AWS_STS_ENDPOINT to align with some AWS SDK conventions)
• TOML config: sts_endpoint under [cache.s3]

When set, sccache should use this URL instead of the default AWS STS endpoint when performing AssumeRoleWithWebIdentity.