Heroku: Using AWS S3 to Store Static Assets and File Uploads suggests using my AWS security credentials to enable my Heroku app to access my Amazon S3 bucket.
However, isn't it better practice (as explained in IAM Roles: Providing access to third parties) to use an IAM role to grant my Heroku app access to my Amazon S3 bucket?
If that's not possible, would the next best option be to create an IAM user (with credentials) just for use with my Heroku app?
IAM roles apply to your servers, not Heroku's, so they're not an option here.
Yes, you can - and should - give them access using an IAM user with limited permissions instead of your root user. It'd be nice if Heroku would add that to their docs, but I imagine they wanted to keep peoples' first go at it simpler.