Securing client-specified credentials at cryptographically attested resources

What is claimed is: 1. A system, comprising: one or more computing devices configured to: determine, based at least in part on an analysis performed using a trusted platform module (TPM) associated with an instance host of a provider network, that a plurality of resources deployed for execution of a compute instance of a multi-tenant computing service at the instance host on behalf of a client meet one or more security criteria, wherein the analysis comprises: compare a hash value of the instance host that is generated by the TPM prior to the execution of the compute instance with an approved hash value that is included in a set of approved hash values stored in an attested configuration repository, wherein the set of approved hash values corresponds to configurations of the instance host approved by the client to execute the compute instance; initiate the execution of the compute instance at the instance host on behalf of the client according to a determination that the plurality of resources deployed for the execution of the compute instance meet the one or more security criteria; receive, at the instance host from a credentials source indicated by the client, an encrypted representation of a set of credentials usable by one or more client applications or programs running on the compute instance to perform one or more operations of the one or more client applications or programs; verify that a trusted resource stack is running at the compute instance based at least in part on a comparison of the hash value and a second hash value of the instance host that is generated by the TPM during the execution of the compute instance; verify that the one or more client applications or programs have administrative rights for the instance host to decrypt the credentials; in response to a verification that the trusted resource stack is running at the compute instance and a verification that the one or more client applications or programs have the administrative rights, extract, at the instance host, the credentials from the encrypted representation based at least in part on decrypting the encrypted representation using a private key unique to the TPM; store the credentials at a non-persistent memory location accessible from the compute instance; perform the one or more operations of the one or more client applications or programs running on the compute instance, wherein the one or more client applications or programs are configured to use the credentials during the execution of the compute instance and the one or more client applications or programs; and remove the credentials from the non-persistent memory location, without saving the credentials to a persistent store, in response to performance of the one or more operations using the credentials. 2. The system as recited in claim 1 , wherein the trusted resource stack corresponds to the hash value generated by the TPM, and wherein the hash value generated by the TPM is based at least on part on one or more of (a) a BIOS (basic input/output system) setting of the instance host, (b) a configuration of a hypervisor installed at the instance host, (c) a configuration of a guest operating system to be used for the compute instance, (d) a configuration of an administrative operating system installed at the instance host for virtualization management, (e) firmware of one more peripheral devices attached to the instance host, or (f) values stored in one or more hardware configuration registers. 3. The system as recited in claim 1 , wherein the instance host is further configured to receive the hash value with the encrypted representation. 4. The system as recited in claim 1 , wherein the set of credentials is generated at one of: (a) a smart card, (b) a hardware security module, or (c) an HSM appliance implemented by a network-accessible service of the provider network. 5. The system as recited in claim 1 , wherein the one or more computing devices configured to: launch, at the instance host, the compute instance on a tentative basis; receive, from the client, approval of the client to launch the compute instance; and in response to the approval, launch, at the compute instance, the trusted resource stack. 6. A method, comprising: performing, by one or more computing devices: determining whether an instance host of a computing service meets security criteria based at least in part on an analysis performed using a trusted platform module (TPM) at the instance host, comprising: comparing a hash value of the instance host generated by the TPM prior to execution of a compute instance with an approved hash value that is included in a set of approved hash values stored in an attested configuration repository, wherein the set of approved hash values corresponds to configurations of the instance host approved to execute the compute instance; initiate the execution of the compute instance at the instance host according to a determination that the instance host meets the security criteria; receiving, at the instance host, an encrypted representation of one or more credentials usable by one or more client applications or programs running on a compute instance at the instance host to perform one or more operations of the one or more client applications or programs; determining whether the instance host is permitted to decrypt the encrypted representation of the one or more credentials, comprising: verifying that a trusted resource stack is running at the instance host based at least in part on a comparison of the hash value and a second hash value of the compute instance host that is generated by the TPM during the execution of the compute instance; and verifying that the one or more client applications or programs have administrative rights to allow the instance host to decrypt the one or more credentials; in response to a verification that the trusted resource stack is running at the instance host and a verification that the one or more client applications or programs have the administrative rights, extracting, at the instance host, the one or more credentials from the encrypted representation into a non-persistent memory location at the instance host based at least in part on decrypting the encrypted representation using a private key available at the instance host; performing the one or more operations of the one or more client applications or programs running on the compute instance, wherein the one or more client applications or programs are configured to use the one or more credentials during the execution of the compute instance and the one or more client applications or programs; and in response to performing the one or more operations, discarding the one or more credentials from the instance host, without saving the one or more credentials to a persistent store. 7. The method as recited in claim 6 , wherein the comparing the hash value of the instance host is performed by a third-party platform attester configured to access the attested configuration repository. 8. The method as recited in claim 7 , wherein said trusted platform module comprises one of: (a) a hardware cryptographic processor or (b) a virtualized cryptographic processor comprising one or more software modules. 9. The method as recited in claim 7 , wherein verifying that the instance host is running the trusted resource stack comprises: generating a new hash value by the TPM; and comparing the hash value with the new hash value. 10. The method as recited in claim 6 , wherein the hash value generated by the TPM is based at least on part on one or more of (a) a BIOS (basic input/output system) setting of the instance host, (b) a configuration of a hypervisor installed at the instance host, (c) a