Refresh artifact-manager-s3 credentials from shared auth sources

[scheremisin]

Summary

• resolve fresh AWS credentials on demand instead of freezing one STS session token when the plugin builds its S3 credential supplier
• prefer current AWS_SHARED_CREDENTIALS_FILE and web-identity environment sources when no explicit Jenkins credentialsId is configured
• use the same refreshable provider for the jclouds path and the AWS SDK presigner/client path
• add tests covering rotated shared-credentials file contents

Problem

After moving Jenkins from EC2 to GKE, the controller started reading temporary AWS credentials from a Vault-rendered shared credentials file. artifact-manager-s3 currently resolves session credentials once, copies them into jclouds SessionCredentials, and keeps using that fixed token. That works until the STS session expires, and copyArtifacts is usually the first place it shows up as ExpiredToken.

What changed

This patch teaches the plugin to re-resolve credentials from the active auth source instead of pinning one token in memory at context creation time. For the GKE controller case that means rereading the latest values from AWS_SHARED_CREDENTIALS_FILE after Vault rotates them. It also supports web-identity envs for controller setups that rely on Kubernetes-issued tokens.

Testing

• mvn -Dmaven.repo.local=/private/tmp/amz-s3-fix/m2 -Dtest=S3BlobStoreConfigTest test
• mvn -Dmaven.repo.local=/private/tmp/amz-s3-fix/m2 -DskipTests package