The S3 binary manager currently requires use of the AWS Access Key Id and AWS Secret Access Key.
It should also be able to handle IAM instance roles, which allow the use of automatically retrieved temporary id/secret keys.
This requires extending the AmazonS3Client and AmazonS3EncryptionClient to detect errors due to expired credentials on operations, and automatically renew them and retry the operation.