@most-mouse-38002 One suggestion - put the principal in one account dedicated for this purpose and use Assume Role to deploy to your app environments.
Our own @billowy-army-68599 has you covered with this excellent blog post for more info: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way