Support cross-account IAM role assumption for Identity Store APIs

[Dakad]

Summary

Adds optional support for assuming an IAM role before making IAM Identity Center Identity Store API calls.

Today ssosync loads AWS credentials from the standard AWS SDK v2 default credential chain and uses them directly for Identity Store operations. This change preserves that behavior by default, and adds an opt-in assume-role-arn configuration path so ssosync can run outside the delegated admin or management account while still using the correct target-account permissions.

Closes #295.

Changes

• add --assume-role-arn
• add SSOSYNC_ASSUME_ROLE_ARN
• load the normal AWS SDK config first
• when configured, use STS AssumeRole with session name ssosync
• build the Identity Store client from the assumed-role credentials
• keep SCIM endpoint/token behavior unchanged
• preserve CLI, Lambda, and dry-run flows
• add unit tests for config parsing and the assume-role code path
• update README docs and examples

Validation

• go test ./cmd -run 'TestAddFlagsIncludesAssumeRoleArn|TestViperParsesAssumeRoleArn' -count=1
• go test ./internal/aws -run 'TestLoadIdentityStoreConfigWithAssumeRole|TestLoadIdentityStoreConfigWithoutAssumeRole' -count=1
• go test ./... -count=1

Notes

The behavior change is fully opt-in. When assume-role-arn is not set, ssosync behaves as it does today.