I agree with other posters that long lived non-autorotating IAM/S3 secret keys are not a good idea. A common alternate approach is presigned URLs. And not just on S3.
Google Cloud, Backblaze, Digital Ocean, Cloudflare, Azure all have this presigned URLs functionality too (I checked for the degree of lockin before I started using S3's presigned URLs in a set of bulk-data APIs at one place I've worked.)
Google Cloud, Backblaze, Digital Ocean, Cloudflare, Azure all have this presigned URLs functionality too (I checked for the degree of lockin before I started using S3's presigned URLs in a set of bulk-data APIs at one place I've worked.)
GCP: https://cloud.google.com/storage/docs/access-control/signed-...
Digital Ocean: https://docs.digitalocean.com/products/spaces/how-to/set-fil...
Hetzner: https://docs.hetzner.com/storage/object-storage/faq/buckets-...
Backblaze: https://backblaze-prod.us.document360.io/apidocs/b2-get-down...
Cloudflare R2: https://developers.cloudflare.com/r2/api/s3/presigned-urls/
Azure: https://learn.microsoft.com/en-us/rest/api/storageservices/d...
etc.
Also, presigned URLs can be used not just for downloading files with a temporary URL but can also be created for uploading files with a temporary URL.