feat(libstore): add builtin fetchurl S3 credential pre-resolution

Add support for pre-resolving AWS credentials in the parent process
before forking for builtin:fetchurl. This avoids recreating credential
providers in the forked child process.

src/libstore/builtins/fetchurl.cc

@@ -33,6 +33,7 @@ static void builtinFetchurl(const BuiltinBuilderContext & ctx)
 
     /* Note: have to use a fresh fileTransfer here because we're in
        a forked process. */
+    debug("[pid=%d] builtin:fetchurl creating fresh FileTransfer instance", getpid());
     auto fileTransfer = makeFileTransfer();
 
     auto fetch = [&](const std::string & url) {
@@ -40,6 +41,18 @@ static void builtinFetchurl(const BuiltinBuilderContext & ctx)
             FileTransferRequest request(ValidURL{url});
             request.decompress = false;
 
+#if NIX_WITH_CURL_S3
+            // Use pre-resolved credentials if available
+            if (ctx.awsCredentials && request.uri.scheme() == "s3") {
+                debug("[pid=%d] Using pre-resolved AWS credentials from parent process", getpid());
+                request.usernameAuth = UsernameAuth{
+                    .username = ctx.awsCredentials->accessKeyId,
+                    .password = ctx.awsCredentials->secretAccessKey,
+                };
+                request.preResolvedAwsSessionToken = ctx.awsCredentials->sessionToken;
+            }
+#endif
+
             auto decompressor = makeDecompressionSink(unpack && hasSuffix(mainUrl, ".xz") ? "xz" : "none", sink);
             fileTransfer->download(std::move(request), *decompressor);
             decompressor->finish();