AWS S3 cache resolver does not work with metadata

[CodeMiner84]

Problem with AWS credentials without key and secret stored in envs. According to that page:
https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html
we have this setup:

[Assume an IAM role](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_assume_role.html).

IAM roles provide applications on the instance with temporary security credentials to make AWS calls. For example, IAM roles offer an easy way to distribute and manage credentials on multiple Amazon EC2 instances.

Upload of images to AWS S3 is working fine, only cache creates cause problem.

Preconditions

1. Symfony 5.4
2. Liip Imagine bundle 2.9.0

Steps to reproduce

1. Package config

# Liip Imagine
liip_imagine:
  loaders:
    aws_loader:
      flysystem:
        filesystem_service: oneup_flysystem.aws_filesystem_filesystem
  data_loader: aws_loader
  cache: aws_resolver
  filter_sets:
    small:
      quality: 85
      filters:
        downscale:
          max: [150, 150]
    original:
      quality: 100

service:

  image.cache.resolver.aws_s3_resolver:
    class: Liip\ImagineBundle\Imagine\Cache\Resolver\AwsS3Resolver
    arguments:
      - '@storage.aws.client'
      - '%env(FILE_BUCKET_NAME)%'
    tags:
      - { name: "liip_imagine.cache.resolver", resolver: "aws_resolver" }

  storage.aws.client:
    class: Aws\S3\S3Client
    arguments:
      - region: "%env(AWS_REGION)%"
        version: latest
        endpoint: "%env(CLOUD_FRONT_DOMAIN)%"
        use_path_style_endpoint: true
        credentials: ~

Expected result

1. Firing up image with filter cache it should create cached image to the AWS S3

Actual result

Uncaught PHP Exception Liip\ImagineBundle\Exception\Imagine\Cache\Resolver\NotStorableException: "The object could not be created on Amazon S3." at /app/vendor/liip/imagine-bundle/Imagine/Cache/Resolver/AwsS3Resolver.php line 133 {"exception":"[object] (Liip\\ImagineBundle\\Exception\\Imagine\\Cache\\Resolver\\NotStorableException(code: 0): The object could not be created on Amazon S3. at /app/vendor/liip/imagine-bundle/Imagine/Cache/Resolver/AwsS3Resolver.php:133)\n[previous exception] [object] (Aws\\S3\\Exception\\S3Exception(code: 0): Error executing \"PutObject\" on \"https://my.s3/my-bucket/small/uploads/product/images/1920/image.jpg\"; AWS HTTP error: Client error: `PUT https://my.s3/my-bucket/small/uploads/product/images/1920/image.jpg` resulted in a `403 Forbidden` response:\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>PGAD0F (truncated...)\n AccessDenied (client): Access Denied - <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>PGAD0FDNGZFFXV6Q</RequestId><HostId>ekuOedPkd9CiGo5owWlttn3DKbwYx5aVcDSQ2EC0vgv4pmky5ZuIL4TUqHfdddEiG3rzRaDi03k=</HostId></Error> at /app/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php:195)\n[previous exception] [object] (GuzzleHttp\\Exception\\ClientException(code: 403): Client error: `PUT https://my.s3/my-bucket/small/uploads/product/images/1920/image.jpg` resulted in a `403 Forbidden` response:\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>PGAD0F (truncated...)\n at /app/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113)"} {"request_id":"552f6c3e-f749-4b00-85d6-baf85465ebfb"

the cache image only works if I'm adding this policy to bucket:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::my-bucket/*"
		}
	]
}

but this is opening our bucket to world and it is not secured at all.

The same service storage.aws.client is used to upload images to S3. Can we use this setup without credentials to create cache ?