[phamilton]

This is exactly how things already work on EC2.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-role...

TL;DR;

    curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

will get you the credentials for s3 access if you define a role named s3access and grant that role the associated permissions.