Request S3 `read` credentials in decrypt workflow

In the current implementation, we rely on the defaults of the Portal sts endpoint when pulling S3 credentials. By default, Portal provides credentials for writing into a bucket, which we can use in the encrypt workflow. Unfortunately, we also get the same type of credentials in the decrypt workflow which requires reading from a bucket. We should fix it by requesting the read credentials instead.