Is your feature request related to a problem? Please describe.

Description:

Add support for AWS STS Session Tags when vending S3 credentials via AssumeRole. This enables deterministic correlation between Polaris catalog operations and downstream S3 access events in AWS CloudTrail.

Motivation:

Currently, the only correlation mechanism between catalog credential vending and S3 access is the role session name. This provides principal-level attribution but lacks granularity for:

• Fine-grained audit trails (table → S3 reads)
• Cost allocation by catalog/namespace/table
• Security forensics
• Compliance reporting

Describe the solution you'd like

Proposed Solution:

Add session tags (polaris:catalog, polaris:namespace, polaris:table, polaris:principal, polaris:request-id) to AssumeRoleRequest. Controlled by a new feature flag INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL (default: false).

Acceptance Criteria:

• New feature flag INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL added
• Session tags added to AssumeRoleRequest when feature enabled
• Tags marked as transitive for role chaining scenarios
• Values truncated to AWS limits (256 chars)
• Documentation updated with IAM policy requirements
• Unit and integration tests added

Describe alternatives you've considered

1. Use sts:SourceIdentity

Pros: Immutable, appears in CloudTrail
Cons: Single value only, cannot convey structured data

2. Encode metadata in role session name
Pros: No IAM policy changes needed
Cons: 64-char limit insufficient; parsing complexity; potential collisions

3. External correlation via timestamp
Current approach: Join audit logs and CloudTrail by time window
Cons: Non-deterministic; fails with concurrent requests; complex queries

Additional context

Dependencies:

• Requires IAM role trust policy update to allow sts:TagSession

Related:

INCLUDE_PRINCIPAL_NAME_IN_SUBSCOPED_CREDENTIAL feature flag