Controlling vault access for Runway service owners

Granting service owners access to the vault path for their respective services would alleviate requests for Runway maintainers or SREs to access vault for secret updates. E.g. gitlab-org/modelops/ai-model-validation-and-research/ai-evaluation/prompt-library#346 (comment 2021581008)

Currently, vault access is controlled in config-mgmt: https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/f061df61dcd69573283034880c5768be696986ea/environments/vault-production/groups.tf#L46