COORDINATION BLOCKER Required MCP, SMDC, Instances! Update DEPLOYMENT_ROLE_ARN to variables from secret, and create least-permissive OIDC role

[botanical]

Our DEPLOYMENT_ROLE_ARN is a secret environment variable. We don't need this to be secret, and it would be better if this were a variable so that we could see what stage has which ARN.

Additionally, though it's not easy to confirm because the DEPLOYMENT_ROLE_ARN is a secret, it appears that we are using a very permissive role (admin) and we should create a less permissive OIDC role to use for our deployments.

Acceptance Criteria

• Create backwards compatible change to support DEPLOYMENT_ROLE_ARN as a var and not a secret #194
• Determine set of actions required for a deployment for VEDA instances #195