When setting up Amazon EC2 based "Agent Cloud" we need to provide access key and secret key so that TeamCity may start/stop and manage servers on our account. There are more secure options available: Amazon supports alternative way of supplying credentials to processes running on EC2 servers. This is through server roles.
If I start EC2 instance with specific role assigned all code running there can use instance specific, automatically rotated set of access and secret keys. If using Amazon Java SDK it is very simple, just omitting credentials in constructor of Amazon client for any service will turn on this role based discovery. It should be easy to implement (I would like to help, but I am new to TeamCity ecosystem and AFAIK all code is closed source).
I have created issue for this: https://youtrack.jetbrains.com/issue/TW-40312