Allow role-based authentication for Athena

[jdelStrother]

WDYT to something like this?

You can now specify role_arn to assume a role for querying Athena, rather than using the access key & secret directly. STS tokens expire after 1 hour by default, so I've also wrapped the client calls in a autorefresh_credentials block. (Which is a little gross, open to better suggestions)

STS requires you to specify a region, which might not be the same as the database's region. To try & clean up the distinction I've moved all the Athena credential settings to a new credentials sub-hash, but it should continue to work with people still setting access key & secret at the top level.

[jdelStrother]

Anything I can do to help get this merged?