See #26 for the research. It looks like the way to do this is:

1. Ensure a dedicated role with arn:aws:iam::aws:policy/AmazonS3FullAccess exists - if it does not, create it. It needs to have a known name - I propose using s3-credentials.AmazonS3FullAccess here, and also populating the Description field. The role needs to be assumable by the current account, see AssumeRolePolicyDocument example in Research creating expiring credentials using sts.assume_role() #26 (comment)
2. Call sts.assume_role() against that role, passing in as a policy the same inline policy document used for non-expiring credentials, using the code in policies.py.
3. Return the AccessKeyId, SecretAccessKey AND the SessionToken - all three are needed to make authenticated calls.