The client has a requirement to regularly scp files between environments. Ultimately, the deploy and Postgres users need to be able to read the files being copied. It would be helpful/less complicated if it was the deploy user itself doing the copying.
The client also mentions that he may have to develop some custom chef, but at the same time they are only asking for guidance, and want to make sure are not breaking the existing system that populates the deploy user's authorized_keys file.
This is the answer given by support:
One option here would be to actually make use of our back-end systems populating of the allowed keys. To accomplish allowing system A to scp to system B you could create an SSH key pair making use of chef or another method to ensure that the private key is available on system A, and then upload the public key to the EY dashboard, and associate it with the system B environment. This way the key will be allowed on system B and you can specify the key to be used when connecting from system A. This will ensure that when chef runs the key on system B is not removed.