Setting up separate mgmt account - Digger

You can use separate AWS accounts for Digger locks and target infrastructure.

If you only pass AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars, same account will be used for both
If in addition you also pass DIGGER_AWS_ACCESS_KEY_ID and DIGGER_AWS_SECRET_ACCESS_KEY vars then those will be used for Digger locks, and the first pair will be used as target account

Setting up DynamoDB Access for locks Authenticating with OIDC on AWS