async fn build_sts_client(profile: &Profile, secret: Option<&Secret>) -> ClientExpand description
Build an aws_sdk_sts::Client for the given profile.
This is intentionally NOT pooled — STS clients are only used during validation, not on the hot path. We build a fresh one per validation call.