Alternative to service_role key?

I want to use an alternative (aka new key with custom policies for read and update) so I have an alternative 'secure' role for my backend client. I tried using a custom 'power' user via auth and use RLS which works fine, but I need access to some secrets stored in the vault such as API keys which is not possible for authenticated users.

Is there a way to have such an api key?