把AccessKeyId和AccessKeySecret返回给浏览器，不是也暴露了吗？

[goodforever]

res.json({
  AccessKeyId: result.credentials.AccessKeyId,
  AccessKeySecret: result.credentials.AccessKeySecret,
  SecurityToken: result.credentials.SecurityToken,
  Expiration: result.credentials.Expiration
});

[k-kyle]

这是临时的AccessKeyId和AccessKeySecret