There are different ways of getting AWS credentials from inside AWS. The most preferable and secure is using instance_profile for ec2 or IAM Roles for Service Accounts (kube2iam or kiam) for k8s. The idea is as simple as getting temporary credentials form aws sts service and renew the keys as the time goes. The only business for a user is to create a proper policy with resource permissions and attach it to a role that is attached to instance_profile or k8s service account. So the idea is: no hardcoded or predefined key!
Percona mongo operator now have this:
If no Credentials set - return an error.
it would be nice to have the option not to set the credentials if the mongo cluster is run on AWS (operator checks or an extra field in CRD). In case there is no credentials set and the environment is AWS - ask STS for credentials with further updates.