fix: Name of special header for AWS credential

aip/auth/4117.md

@@ -240,7 +240,9 @@ The auth libraries and applications **must** follow the steps below:
   **imdsv2_session_token_url** fields if they are provided. The host should
   either be **169.254.169.254** or **fd00:ec2::254**.
 - If **imdsv2_session_token_url** is available, then fetch session token
-  from **imdsv2_session_token_url**.
+  from **imdsv2_session_token_url**. Note: only perform this step if you
+  need to communicate with the metadata server to fetch the region and/or
+  the security credentials
 - Check the environment variables in the following order (`AWS_REGION` and
   then the `AWS_DEFAULT_REGION`) to determine the AWS region. If found, skip
   using the AWS metadata server to determine this value.
@@ -277,7 +279,7 @@ The auth libraries and applications **must** follow the steps below:
         "key": "x-amz-date"
       },
       {
-        "value": "AWS4-HMAC-SHA256 Credential=AKIASOZTBDV4D7ABCDEDF/20200228/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-date,Signature=abcedefdfedfd",
+        "value": "AWS4-HMAC-SHA256 Credential=AKIASOZTBDV4D7ABCDEDF/20200228/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token;x-goog-cloud-target-resource, Signature=abcedefdfedfd",
         "key": "Authorization"
       },
       {
@@ -293,7 +295,7 @@ The auth libraries and applications **must** follow the steps below:
     "body": ""
   }
   ```
-  For the AWS token, STS requires a special header `x-goog-cloud-endpoint` to recognize that the token is for a specific workload identity provider.
+  For the AWS token, STS requires a special header `x-goog-cloud-target-resource` to recognize that the token is for a specific workload identity provider.
 
 ### Determining the subject token in Microsoft Azure and URL-sourced credentials