Daemon mode that writes directly to AWS compatible credentials file

[strideynet]

Today, aws-spiffe-workload-helper is provided to AWS SDKs as a "credential process" that is invoked by the AWS SDK.

We should also offer a mode where aws-spiffe-workload-helper runs as a daemon, and writes the AWS Access Key ID, Secret Access Key and Session Token to a "credentials" file at a specified location.

Why?

• Most AWS SDKs support the credential process option, but some third-party implementations of the SDK do not. Support for the credentials file is ubiquitous. This provides an option for those cases.
• Effectively "caches" the results of the X509 SVID exchange process, providing a more immediate credential load for SDKs and providing some wiggle room in case of a failure in the exchange process (e.g the workload identity provider could be offline, but the last set of AWS credentials will still be available).
• This mimics the behaviour of the AWS-SSM agent, which is used by some larger enterprises today as a method of getting automatically rotated AWS credentials onto an on-prem host. Providing a mode which mimics this behaviour makes this more of a "drop in" replacement.

There's a few negatives to this approach:

• Credentials on disk are more exposed to exfiltration.
• Workload attestation is no longer "enforced" at this level, it'd be up to the operator to use the correct filesystem permissions to restrict access to these credentials.