According this page only Manager or Admin roles have access to API keys. However the Ampli CLI pulls keys down without regard to user roles. This then prevents Managers and Admin from withholding production keys until data governance requirements are met.
This is a major access hole. Change my mind.