I would prefer not to use static credentials and instead generate temporary credentials on-demand.

This is something I have done with other platforms such as GitHub Actions and Terraform Cloud. You can create an AWS IAM Identity Provider in the AWS Console for the OIDC Identity Provider that your platform manages, and then your runtime can call the AWS STS AssumeRoleWithWebIdentity endpoint, passing along the JWT identity token provided by your platform.

Instructions for configuring GitHub Actions to use temporary AWS credentials can be found here:

I’d like to do something similar with Render, but the Render platform would need to make available an OIDC Identity Provider, as described here: