You can allow IAM roles in your account (which simply just has the permissions defined, with no keys or other credentials associated) to be assumed by identities in another account. Vantage would then be responsible for securing credentials for the target identity in their account, but there would be no transfer of keys involved whatsoever from one party to another.

You can create a role with certain permissions in your account. You can then configure this role to only be assumed by another user in another specific AWS account.

This is how you can share resources between different AWS accounts.