fix: disallow invalid x-amz-security-token for root credentials (#13388)

* fix: disallow invalid x-amz-security-token for root credentials

fixes #13335

This was a regression added in #12947 when this part of the
code was refactored to avoid privilege issues with service
accounts with session policy.

Bonus: 

- fix: AssumeRoleWithCertificate policy mapping and reload

  AssumeRoleWithCertificate was not mapping to correct
  policies even after successfully generating keys, since
  the claims associated with this API were never looked up
  properly. Ensure that policies are set appropriately.

- GetUser() API was not loading policies correctly based
  on AccessKey based mapping which is true with OpenID
  and AssumeRoleWithCertificate API.

cmd/sts-handlers.go

@@ -767,11 +767,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
 	parentUser := "tls:" + certificate.Subject.CommonName
 
 	tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{
-		expClaim:    time.Now().UTC().Add(expiry).Unix(),
-		parentClaim: parentUser,
-		subClaim:    certificate.Subject.CommonName,
-		audClaim:    certificate.Subject.Organization,
-		issClaim:    certificate.Issuer.CommonName,
+		expClaim:                   time.Now().UTC().Add(expiry).Unix(),
+		parentClaim:                parentUser,
+		subClaim:                   certificate.Subject.CommonName,
+		audClaim:                   certificate.Subject.Organization,
+		issClaim:                   certificate.Issuer.CommonName,
+		iamPolicyClaimNameOpenID(): certificate.Subject.CommonName,
 	}, globalActiveCred.SecretKey)
 	if err != nil {
 		writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)