Support credential sources in AWS Secrets in CI\CD provided by prescripts

Proposal

18.3's release of AWS Secrets Manager secrets in CI\CD Jobs is great, but expects OIDC auth or the runner to already have a role before any code runs: presumably allowing referencing that secret at startup?

However, we inject AWS credentials in a pre-job script in the runner Helper. This means that using this feature fails, as the credentials required are not available (the attached instance role is used, which is shared and has minimal access).

One option to support our case might be a "lazy" or "late" flag - fetch in the job runtime. This is assuming that the AWS SDK credential chain runs as expected - and an existing profiles is used ahead of instance role.