It does seem kind of odd that Tigris uses AWS_ACCESS_KEY_ID, as that would conflict w/ the native AWS libraries. Can’t you explicitly pass in the id/secret to the S3 client?
Also, I’d recommend doing Assuming Cloud Roles on Fly.io Machines so you don’t need to worry about AWS creds at all.