There is one way. If the other services you have is trusted one then You can generate pre-signed URLs on the trusted servers and send those to the untrusted server that can then use those URLs to safely download the file.
The URLs don't require the untrusted server to hold any keys. They also have a limited time-to-live so you can limit your exposure if those leak for some reason.
This way you can allow the untrusted server to access only the files you want for the period of time you want
aws s3 presign s3://mybucket/myfile --expires-in 60