auth/aws: Fix error with empty bound_iam_principal_arn

[joelthompson]

In cases where there doesn't need to be a bound_iam_principal_arn, i.e.,
either auth_type is ec2 or there are other bindings with the iam
auth_type, but it is specified explicitly anyway, Vault tried to parse
it to resolve to internal unique IDs. This now checks to ensure that
bound_iam_principal_arn is non-empty before attempting to resolve it.

Fixes #3837

[jefferai]

@joelthompson This change does mean that there's no way to clear out a bound_iam_principal_arn once it's set (other than deleting the role and re-creating it). I don't know if you'd want to or not -- if that's not a problem, then this LGTM.

[joelthompson]

@jefferai -- I don't think that would be the case, maybe I'm missing something? But I do think it would be a problem if this change did mean that as what you called out should be a valid operation.

If bound_iam_principal_arn is explicitly passed in as empty, then line 498 would clear it out in the roleEntry. The if conditional on line 503 would then be false, so it would hit the else clause on line 511 and also set roleEntry.BoundIamPrincipalID = "".

Right?

[jefferai]

This is what I get for looking at a diff without enough context. You're right.

[jefferai]

LGTM, OK to merge on your end?

[joelthompson]

Just realized I left in an extraneous newline, so a tiny commit to fix that. So, now, yep, thanks for the quick engagement here! :)

[jefferai]

You caught me at a specifically good time for very small fixes :-)