It turns out that this just needed some digging around in the API. The credentials can be pulled from any of the clients that you instantiate via Aws\Common\Aws::get().

// create builder; not passing credentials here
$aws = Aws\Common\Aws::factory(array(
    'region' => 'us-east-1',
));
$s3 = $aws->get('s3');
// get credentials interface
$credentials = $s3->getCredentials();

To sign the policy string you need an instance of S3Signature. According to the documentation for AbstractClient::getSignature() it would seem that you can't obtain this from S3Client, but judging from this part of the code it seems that you can.

The last step is to call the ::signString() method to generate the signature:

$policy = base64_encode(json_encode($policy_data));
$signer = $s3->getSignature();
$signature = $signer->signString($policy, $credentials);

Internally $credentials->getSecretKey() is called, which loads the necessary credentials from the meta data service when necessary; otherwise it uses the credentials that are passed to Aws::factory().

Update

It's also possible to do this without any clients:

$credentials = Aws\Common\Credentials\Credentials::factory();
$signer = new S3Signature();

$signature = $signer->signString($policy, $credentials);