Amazon secret access keys can include alphanumeric characters, but also / and + (I wish there was an official source that was really specific on what they can contain, but I'll have to rely on a few blog posts and my own experience).
Keys containing slashes used to be impossible to embed in the URL (e.g. s3a://access_key:secret_key@bucket/) but it is now possible to do it via URL encoding. Pluses used to work, but that is now only possible via URL encoding.
In the case of pluses, they don't appear to cause any other problems for parsing. So IMO the best all-around solution here is for people to URL-encode these keys always, but so that keys that used to work just fine can continue to work fine, all we need to do is detect that, log a warning, and we can re-encode it for the user.