fix: reduce AWS STS inline policy size by merging read+write actions

[yushesp]

Writable locations previously appeared in two separate statements:

1. Read statement covering every location
2. Write statement covering only writable ones.

This listed the resource ARN twice for every writable location, which pushed deeply nested namespace paths past the 2048-character STS policy limit.

This change emits a single combined statement granting both read and write actions for writable locations, and keep the read-only statement only for locations not already covered.

Also wraps the assumeRole call to rewrap PackedPolicyTooLargeException with a descriptive error msg.

Example:

Before (2 statements, ARN duplicated):

  {"Action": ["s3:GetObject", "s3:GetObjectVersion"],
   "Resource": ["...bucket/path/*"]}
  {"Action": ["s3:PutObject", "s3:DeleteObject"],
   "Resource": ["...bucket/path/*"]}

After (1 statement):

  {"Action": ["s3:GetObject", "s3:GetObjectVersion",
              "s3:PutObject", "s3:DeleteObject"],
   "Resource": ["...bucket/path/*"]}

Fixes #3243

Checklist

• 🛡️ Don't disclose security issues! (contact security@apache.org)
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[jbonofre]

LGTM, thanks!

[jbonofre]

To be honest, I would expect some more specific than RuntimeException here but as the rest of the storage layer is also using RuntimeException, it's consistent and make sense 😄

[jbonofre]

I was confused when I saw the corresponding testDeepNestedNamespaceStaysWithinPackedPolicyLimit as the assert is on the raw JSON length, not the packed size.

But it's actually correct. I was misleaded by the comment and naming.