Support cross-account IAM role assumption for Identity Center access

[tchatzig]

Is your feature request related to a problem? Please describe.

Currently, ssosync must run in the AWS management/root account because IAM Identity Center APIs are only available there. As a security best practice, workloads should not run in the management account to
minimize blast radius if compromised. Running ssosync in the management account means any vulnerability in the Lambda could potentially expose access to all child accounts in the organization.

---

Describe the solution you'd like

Add support for an environment variable (e.g., ASSUME_ROLE_ARN) that allows ssosync to assume an IAM role in the management/root account before making Identity Center API calls.

This would enable:

1. Deploying ssosync Lambda to a workload account (e.g., security)
2. Creating an IAM role in the management account with Identity Center permissions
3. Configuring ssosync with ASSUME_ROLE_ARN=arn:aws:iam::<mgmt-account-id>:role/SSOSyncRole
4. ssosync assumes the role and performs sync operations

---

Describe alternatives you've considered

---

Additional context
This follows AWS Well-Architected Framework security best practices for keeping the management/root account free of application workloads. Many organizations have policies that prohibit deploying Lambdas or other compute resources in their management account.

[ChrisPates]

Recommended deployment is to aws account that is delegated admin for IAM Identity Center.