AWS Athena ODBC driver support for App Access

[greedy52]

Implements #8281

• AWS Athena access #8281

Note that both Athena JDBC driver and Timestream JDBC driver use Java SDK v1 so Teleport would not able to support them (details see #19366)

Changes

Interestingly, the copy header logic change from #19387 actually fixed an issue that AWS would reject ODBC driver requests when Expect: 100-continue headers are signed (by the old logic). I had a similar change prior to Gavin's refactor but it's no longer necessary.

This PR then adds a new athena-odbc format tsh proxy aws to dump pre-compiled list of ODBC properties.

UX

Login

$ tsh apps login aws
Logged into AWS app "aws".

Your IAM role:
  arn:aws:iam::<account_account_id>:role/steve-poweruser

Example AWS CLI command:
  tsh aws s3 ls

Or start a local proxy:
  tsh proxy aws --app aws

New proxy format

$ tsh proxy aws --app aws -p 8888 -f athena-odbc
Started AWS proxy on http://127.0.0.1:8888.

Set the following properties for the Athena ODBC data source:
[Teleport Athena Access]
AuthenticationType = IAM Credentials
UID = <aws_access_key_id>
PWD = <aws_secret_access_key>
UseProxy = 1;
ProxyScheme = http;
ProxyHost = 127.0.0.1;
ProxyPort = 8888;
TrustedCerts = <path_to_ca_bundle>

Here is a sample connection string using the above credentials and proxy settings:
DRIVER=Simba Amazon Athena ODBC Connector;AwsRegion=us-east-1;S3OutputLocation=s3://example-bucket/athena/output/;Workgroup=example-workgroup;AuthenticationType=IAM Credentials;UID=<aws_access_key_id>;PWD=<aws_secret_access_key>;UseProxy=1;ProxyScheme=http;ProxyHost=127.0.0.1;ProxyPort=8888;TrustedCerts=<path_to_ca_bundle>

[GavinFrazar]

LGTM, glad the signing service refactor fixed a header signing issue I wasn't even aware of 😄

[mdwn]

LGTM!