Update the documentation to describe using symlinks for sharing web identity token file for 'repository-s3' plugin (#3021)

* Update the documentation to describe using symlinks for sharing web identity token file for 'repository-s3' plugin

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Address review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

---------

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md

@@ -157,10 +157,23 @@ Request fields | Description
    ```
 
    If you don't want to configure AWS access and secret keys, modify the following `opensearch.yml` setting. Make sure the file is accessible by the `repository-s3` plugin:
+   
    ```yml
    s3.client.default.identity_token_file: /usr/share/opensearch/plugins/repository-s3/token
    ```
 
+   If copying is not an option, you can create a symlink to the web identity token file in the `${OPENSEARCH_PATH_CONFIG}` folder:
+
+   ```
+   ln -s $AWS_WEB_IDENTITY_TOKEN_FILE "${OPENSEARCH_PATH_CONFIG}/aws-web-identity-token-file"
+   ```
+
+   You can reference the web identity token file in the following `opensearch.yml` setting by specifying the relative path that is resolved against `${OPENSEARCH_PATH_CONFIG}`:
+
+   ```yaml
+   s3.client.default.identity_token_file: aws-web-identity-token-file
+   ```
+
    IAM roles require at least one of the above settings. Other settings will be taken from environment variables (if available): `AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_SESSION_NAME`.
 
 1. If you changed `opensearch.yml`, you must restart each node in the cluster. Otherwise, you only need to reload secure cluster settings: