Add Support for Session Tags in aws-cli/setup

[zaheerahmad33]

I'm currently using the orb to assume AWS roles via OIDC in our pipeline. However, the orb does not support passing session tags during role assumption, which is crucial for our security model.

Background:
Our security policies enforce dynamic IAM restrictions based on session tags (e.g., project identifiers) that must be attached at the time of role assumption via sts:AssumeRoleWithWebIdentity. Since the orb's aws-cli/setup command doesn't support session tags, even if I try to export session tag values as environment variables after the role has been assumed, they are not included in the temporary credentials. As a result, dynamic policy evaluation using these session tags (e.g., aws:PrincipalTag/project_id) does not work, and sessions can perform operations even if the project is not allowed by our policy.

[marboledacci]

This is not possible for now, OIDC authentication for AWS requires to modify the JWT token to add the session tags, and that's not possible at the moment.
This is not a change that can be resolved directly through the orb, as the orb only uses the token, but the token is generated directly on CircleCI configurations, and cannot be changed.