If you run this on an EC2 instance, the standard way to speak to AWS APIs is via the instance metadata service, which is a hypervisor-provided HTTP endpoint accessible only within the instance that provides a triple of access key, secret key, and session token.
Eyeballing your S3 code, it doesn't look like that use case would work today, because it expects the credentials to be static, and furthermore expects there to only be an access and secret key (no session token). The good news is that the AWS SDK for Go already knows how to speak to the magic endpoint for you, but you need to let it.
I think this would be very useful: it's not only more secure (no credentials need to live on your filesystem, and the credentials automatically rotate multiple times a day) but it's also more convenient than manually passing around opaque hex blobs as keys.
If you run this on an EC2 instance, the standard way to speak to AWS APIs is via the instance metadata service, which is a hypervisor-provided HTTP endpoint accessible only within the instance that provides a triple of access key, secret key, and session token.
Eyeballing your S3 code, it doesn't look like that use case would work today, because it expects the credentials to be static, and furthermore expects there to only be an access and secret key (no session token). The good news is that the AWS SDK for Go already knows how to speak to the magic endpoint for you, but you need to let it.
I think this would be very useful: it's not only more secure (no credentials need to live on your filesystem, and the credentials automatically rotate multiple times a day) but it's also more convenient than manually passing around opaque hex blobs as keys.