fix(amplify-provider-awscloudformation): mfa role assumption fails with cached credentials (aws-amplify#14626)

Fixes three related bugs in credential caching for MFA-based role
assumption introduced in commit 04f7bcf (PR aws-amplify#14315).

Bug 1 - MFA prompt never appears: getCachedRoleCredentials() always
returned { credentials: {} } even with no valid cache, so the STS
AssumeRole call was never executed.

Fix: return undefined when no valid cached credentials exist.

Bug 2 - Cache validation always fails: credentials were cached in
nested format { credentials: { accessKeyId, ... } } but
validateCachedCredentials() expected flat format.

Fix: cache the flat credentials object (roleCredentials.credentials).

Bug 3 - expiration.getTime error: cached Date is deserialized as a
string, but the AWS SDK calls expiration.getTime(). The fix in
PR aws-amplify#14315 only addressed this in getConfiguredAWSClientConfig(), not
in getProfiledAwsConfig().

Fix: convert expiration to Date when returning cached credentials.

Author: danrivett

packages/amplify-provider-awscloudformation/src/system-config-manager.ts

@@ -186,7 +186,7 @@ const getRoleCredentials = async (context: $TSContext, profileName: string, prof
       log(ex);
     }
     if (profileConfig.role_arn && roleSessionName && roleCredentials) {
-      cacheRoleCredentials(profileConfig.role_arn, roleSessionName, roleCredentials);
+      cacheRoleCredentials(profileConfig.role_arn, roleSessionName, roleCredentials.credentials);
     }
   }
 
@@ -245,9 +245,14 @@ const getCachedRoleCredentials = (roleArn: string, sessionName: string): $TSAny
       return undefined;
     }
   }
+  if (!roleCredentials) {
+    return undefined;
+  }
   return {
     credentials: {
       ...roleCredentials,
+      // Ensure expiration is a Date object (JSON serialization converts it to string)
+      expiration: roleCredentials.expiration ? new Date(roleCredentials.expiration) : undefined,
     },
   };
 };