DynamoDB, `datomic:ddb//` connect URI, and AWS STS roles - can we provide the token for a keypair?

I’m trying to use AWS Fargate, the new managed ECS cluster service, to run some Docker images that have Datomic peers in them, configured to talk to an on-prem transactor in EC2. The wrinkle is that the IAM role exposed to task containers in Fargate (and probably in manage-your-own-EC2-cluster ECS too) is managed by AWS STS, which means that the IAM credentials have three pieces: access_key, secret_key, and access_token (which contains expiry information, etc.).

Is there a way to provide this kind of credential to the DynamoDB client inside a Datomic peer? I would strongly prefer not to store a long-lived IAM user credential in my Docker task configuration, which is the only way I can think of to use a non-STS credential in ECS.

This turned out to be my own misunderstanding - if you simply don’t provide an access key/secret key in the URL, Datomic uses the default credentials chain, which fetches the role-based creds just fine.