Support prefetch & stale time for S3 web identity provider

[jirislav]

Description

When s3.use-web-identity-token-credentials-provider is configured, then the WebIdentityTokenFileCredentialsProvider is used in AWS SDK to communicate with S3. This provider supports specifying the prefetchTime & staleTime (by default it's 5 & 1 minute).

Why is this important? Well, because when we presign an S3 URL (e.g. for Trino client to retrieve the data using the spooling protocol), the attached token will be valid only for as long, as is the remaining validity time of the temporary token that was used to sign the URL. For example, if the MaxSessionDuration in AWS IAM role is kept to it's default 1 hour, then what happens is that every hour new temporary credentials need to be fetched. If prefetch time is 5 minutes (and stale time 1 minute), then the worst-case scenario is that every hour the Trino clients might experience the ExpiredToken exception when downloading the spooled segments from a signed S3 url later than 1-5 minutes since their creation.

This issue is even worse in case some Trino workers finish their job early, upload their segments to S3, sign them, but then the Trino client still needs to wait for all the remaining workers to finish their part, which might take several more minutes. So if the query is executed just before the session is about to expire, then the clients running such heavy queries are almost guaranteed to experience the ExpiredToken exception.

Release notes

Release notes are required. Please propose a release note for me.

[chenjian2664]

@wendigo @electrum