Errors from AWS do not get passed through #215
Description
Describe the bug
Permission errors are not reflected to the output, instead users have to go to Cloudtrail (if it is enabled) to get the actual error message. This is a pretty annoying issue for people who run complex IAM schemes that do not just blanket allow wildcards.
Steps to reproduce
Provide AWS credentials to notation verify or notation sign that lack IAM permissions, and run either command.
What did you expect to see?
A meaningful error message that shows the IAM error as root cause behind the AccessDeniedException, e.g.
"responseElements": {
"Message": "User: arn:aws:sts::xxxxxxxx:assumed-role/xxxxxxxx is not authorized to perform: signer:SignPayload on resource: arn:aws:signer:eu-central-1:xxxxxx:/signing-profiles/xxxxx"
},What did you see instead?
A cut-off error message:
WARN[2025-02-19T19:51:54+01:00] Signature sha256:xxxxx failed verification with error: revocation check by verification plugin "com.amazonaws.signer.notation.plugin" failed with reason "GetRevocationStatus call failed with error: operation error signer: GetRevocationStatus, https response error StatusCode: 403, RequestID: xxxxx, AccessDeniedException: "
What plugin version did you use?
Version: Unknown, bundled with the "latest" installer package.
What config did you use?
(Sensitive, not reasonably redactable)
Environment
OS: Ubuntu 22.04
notation version : notation/1.1.0