feat: support ID tokens instead of CI_JOB_JWT

* `AWS_OIDC_ROLE_ARN` for any global/common access,

* `AWS_REVIEW_OIDC_ROLE_ARN` and/or `AWS_INTEG_OIDC_ROLE_ARN` and/or `AWS_STAGING_OIDC_ROLE_ARN` and/or `AWS_PROD_OIDC_ROLE_ARN` if you wish to use a separate role with any of your environments.

The template supports two ways to retrieve the JSON web token (JWT):

* using GitLab's `CI_JOB_JWT_V2` variable - _default_<br/>

  :warning: deprecated, scheduled to be removed in GitLab 16.5

* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `AWS_JWT` - _configurable_

The ID token can be configured as follows in your `.gitlab-ci.yml` file:

```yaml

# enable AWS_JWT ID token for AWS jobs only

.aws-base:

  id_tokens:

    AWS_JWT:

      # use your own audience url here

      aud: https://gitlab.com

```

### Deployment context variables

In order to manage the various deployment environments, this template provides a couple of **dynamic variables**

| `secret_path` (_path parameter_) | this is your secret location in the Vault server |

| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |

The variant supports two ways to retrieve the JSON web token (JWT):

* using GitLab's `CI_JOB_JWT` variable - _default_<br/>

  :warning: deprecated, scheduled to be removed in GitLab 16.5

* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `VAULT_JWT_TOKEN` - _configurable_

The ID token can be configured as follows in your `.gitlab-ci.yml` file:

```yaml

# enable VAULT_JWT_TOKEN ID token for AWS jobs only

.aws-base:

  id_tokens:

    VAULT_JWT_TOKEN:

      # use your own audience url here

      aud: https://gitlab.com

```

#### Example

```yaml

    AWS_SECRET_ACCESS_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/aws/prod/account?field=secret_access_key"

    VAULT_BASE_URL: "https://vault.acme.host/v1"

    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable

# enable VAULT_JWT_TOKEN ID token for AWS jobs only

.aws-base:

  id_tokens:

    VAULT_JWT_TOKEN:

      # use your own audience url here

      aud: https://gitlab.com

```

  # variabilized vault-secrets-provider image

  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"

  # variables have to be explicitly declared in the YAML to be exported to the service

  VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"

  VAULT_ROLE_ID: "$VAULT_ROLE_ID"

  VAULT_SECRET_ID: "$VAULT_SECRET_ID"

      log_info "Obtaining temporary credentials with OpenID connect..."

      # see: https://docs.gitlab.com/ee/ci/cloud_services/aws/

      # shellcheck disable=SC2046,SC2183

      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role-with-web-identity --role-arn "$oidc_role_arn" --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" --web-identity-token "$CI_JOB_JWT_V2" --duration-seconds 3600 --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text))

      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role-with-web-identity --role-arn "$oidc_role_arn" --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" --web-identity-token "${AWS_JWT:-$CI_JOB_JWT_V2}" --duration-seconds 3600 --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text))

      aws sts get-caller-identity

    else

      log_info "Implicit authentication with AWS access key ID & secret access key..."