Sign S3 upload policy using Instance Profile credentials

Sign S3 upload policy using Instance Profile credentials

I'm putting together a drag & drop interface for file uploads directly to
S3. My workflow is something like this:
Upon drop I make an AJAX request to the server
The server generates and signs an S3 upload policy
The client side completes the upload
Obviously, signing the policy is done with the secret key. The problem I'm
facing is two-fold:
I can obviously do Aws::getConfig() and fish out the secret key from
there, but that doesn't seem to be a very clean approach.
When deployed on EC2, I won't have access to the secret key at all,
because I'm using instance roles so that I don't have to store my
credentials on the server itself.
In both cases I could circumvent the SDK and do it manually, so the
question really is: can this be done with the SDK, and if so, how?