A company operates multiple VPCs in a single AWS account. Account users need temporary access to Amazon S3 buckets. The S3 buckets are private and have no public endpoints. The solution must follow the principle of least privilege for access to each environment and must avoid distributing permanent access keys. Which solution will meet these requirements?