I have a server running outside of AWS, and I wrote a small script to upload files from that server to an S3 bucket regularly. My first authentication approach was to create an IAM user, store its access key and secret on the server, and authenticate with it against AWS. I read that AWS does not recommend long-term credentials, and one should use an IAM role instead. However, in the official documentation they are using a source profile "user1". That user then assumes the role "marketingadminrole". But how do I authenticate user1? I presume with long-term credentials? So, what is the benefit of using an assumed role?
My script runs automatically as a system service, so I cannot use SSO with another identity provider.
What is the best practice for using aws-cli, boto3, etc. and authenticate against AWS safely?
Historically, you are correct. The typical solution was to create an IAM Role with the needed S3 permissions and then an IAM User whose sole permission was to assume the aforementioned role. In that way, the benefit was that the AWS credentials in use for the S3 operations were time-limited so if they leaked then there was a smaller window of time in which they were usable.
Now, you should consider using IAM Roles Anywhere:
You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don't need to manage long-term credentials for workloads running outside of AWS.