Add IRSA authorizer support for custom pricing Athena queries

Update QueryAthenaPaginated to use the modern authorization path via
ConvertAwsAthenaInfoToConfig, which properly supports IRSA (IAM Roles
for Service Accounts) for cross-account AWS Athena access.

Previously, the custom pricing path for RI/Savings Plan lookups only
supported static AWS access keys, while the CloudCost path supported
IRSA through the Authorizer interface. This change aligns both paths
by using the existing ConvertAwsAthenaInfoToConfig function which:

- Uses ServiceAccount (IRSA) when credentials are empty
- Wraps with AssumeRole when MasterPayerARN is configured
- Enables cross-account assume role chains with IRSA

Fixes #3530

Signed-off-by: Claude <noreply@anthropic.com>
Signed-off-by: Warwick Peatey <warwick.peatey@ibm.com>

pkg/cloud/aws/provider.go

@@ -2109,10 +2109,18 @@ func (aws *AWS) QueryAthenaPaginated(ctx context.Context, query string, fn func(
 		startQueryExecutionInput.WorkGroup = awsSDK.String(awsAthenaInfo.AthenaWorkgroup)
 	}
 
-	// Create Athena Client
-	cfg, err := awsAthenaInfo.CreateConfig()
+	// Create Athena Client using modern authorization path that supports IRSA
+	athenaConfig := ConvertAwsAthenaInfoToConfig(*awsAthenaInfo)
+	if athenaConfig == nil {
+		return fmt.Errorf("QueryAthenaPaginated: failed to convert athena configuration")
+	}
+	ac, ok := athenaConfig.(*AthenaConfiguration)
+	if !ok {
+		return fmt.Errorf("QueryAthenaPaginated: unexpected configuration type")
+	}
+	cfg, err := ac.Authorizer.CreateAWSConfig(awsAthenaInfo.AthenaRegion)
 	if err != nil {
-		log.Errorf("Could not retrieve Athena Configuration: %s", err.Error())
+		return fmt.Errorf("QueryAthenaPaginated: failed to create AWS config: %s", err.Error())
 	}
 	cli := athena.NewFromConfig(cfg)