Add USAGE documentation

USAGE.md

@@ -24,6 +24,7 @@
 * [MFA](#mfa)
   * [Gotchas with MFA config](#gotchas-with-mfa-config)
 * [AWS Single Sign-On (AWS SSO)](#aws-single-sign-on-aws-sso)
+* [Assuming roles with web identities](#assuming-roles-with-web-identities)
 * [Using credential helper](#using-credential-helper)
 * [Using a Yubikey](#using-a-yubikey)
   * [Prerequisites](#prerequisites)
@@ -389,6 +390,27 @@ sso_account_id=123456789012
 sso_role_name=Administrator
 ```
 
+## Assuming roles with web identities
+
+AWS supports assuming roles using [web identity federation and OpenID Connect](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc), including login using Amazon, Google, Facebook or any other OpenID Connect server. The configuration options are as follows:
+* `web_identity_token_file` A file that contains an OpenID Connect identity token. The token is loaded and passed as the `WebIdentityToken` argument of the `AssumeRoleWithWebIdentity` operation.
+* `web_identity_token_process` A command that executes to generate an OpenID Connect identity token. The token written to the command's standard out is passed as the `WebIdentityToken` argument of the `AssumeRoleWithWebIdentity` operation.
+
+An example configuration using a static token:
+
+```ini
+[profile role1]
+role_arn = arn:aws:iam::22222222222:role/role1
+web_identity_token_file = /path/to/token.txt
+```
+
+An example using a token generated by an external command:
+
+```ini
+[profile role2]
+role_arn = arn:aws:iam::33333333333:role/role2
+web_identity_token_process = oidccli raw
+```
 
 ## Using credential helper