This is an example of a wordpress plugin that uses a role defined in the config file.
https://deliciousbrains.com/wp-offload-media/doc/iam-roles/
AWS roles use the default credentials on the system. Those credentials are rotated all the time and since they expire, they are more secure.
Here's an example of how Webinoly could retrieve the credentials:
When running the backup config you would need the user to specify the IAM role attached the the EC2 instance. In this example, let's call it "webinoly-server-role"
IAM_ROLE=webinoly-server-role
This will get you the AccessKeyId:
wget -q -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/webinoly-server-role | awk /AccessKeyId/ | awk -F "\"" '{print $4}'
This will get you the SecretAccessKey:
wget -q -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/webinoly-server-role | awk /SecretAccessKey/ | awk -F "\"" '{print $4}'
You would have to update the credentials used in the script to use those. Or maybe a script could run before the backup and grab the new credentials and update the credential file where they are stored.
Hope that helps explain it better at least.