Let's say I want to write a web app in JavaScript that uses the AWS Lex service and the AWS Polly service. The app needs to access these services on my behalf. However, I probably shouldn't include into the app my AWS secret key in plain text.
So, what is the proper way to authorize web clients to access AWS services? Is it the temporary access tokens?
You should not include your API key in client side code.
You should write a little webserver that contains your key and have that talk to AWS and have your JavaScript web app talk to your webserver.