The planner should check that the credentials have strong enough permissions. For example ~/.s3cfg should be at least 600, and that is checked later by pegasus-transfer. Currently the error is only surfaced when the workflow fails, but we should be able to find this at planning time.