Add support for oidc aws session tags

Description

Teach the agent how to request OIDC tokens including aws session tags:

buildkite-agent oidc request-token --audience sts.amazonaws.com --aws-session-tag pipeline_id

Claims are then added to the returned token as aws session tags using their prescribed format:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp

which can then be used to grant permission to aws resources using attribute based access control (ABAC):

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html

This is a finer grained control than the subject condition based option currently available:

https://buildkite.com/docs/pipelines/security/oidc/aws#step-2-create-a-new-or-update-an-existing-iam-role-to-use-with-your-pipelines

The Buildkite Agent API already supports this parameter.

Changes

Mostly copy/pasta of how --claim works. I also added an api test for claims alongside aws_session_tags.

Testing

[x] Tests have run locally (with go test ./...). Buildkite employees may check this if the pipeline has run automatically.
[x] Code is formatted (with go fmt ./...)

go run . oidc request-token --endpoint http://agent.buildkite.localhost --agent-access-token test --job abc123 --debug --debug-http --aws-session-tag organization_id
2024-09-24 13:43:44 DEBUG  Loaded config command=oidc request-token agent_version=3.78.0+x..dirty
2024-09-24 13:43:44 DEBUG  POST /jobs/abc123/oidc/tokens HTTP/1.1
Host: agent.buildkite.localhost
User-Agent: buildkite-agent/3.78.0.x (darwin; arm64)
Content-Length: 41
Content-Type: application/json
Accept-Encoding: gzip

{"aws_session_tags":["organization_id"]}

That will do the job.

buildkite / agent