We have some hybrid environment where some applications are running in our own datacenter and other services are running on AWS cloud.
Now we have some application which needs to write files to S3. In our current solution we have created a IAM user (with access keys) who has an inline policy to write/list/delete objects on a certain bucket.
This works but it isn't that secure probably because the security credentials are permanent. One of the main advantages of using AWS roles is that the credentials are rotated in a specific time interval and stored as metadata.
I know you can assign a role to an EC2 and so the EC2 can securely connect to (for example) an S3 bucket and do their allowed stuff. But how do we have to handle this for applications which are NOT running on AWS but need a connection to an AWS service?
You want to use the AWS Security Token Service. This is specifically designed for the use case you describe.
More details here:
Temporary Security Credentials
And here:
AWS Security Token Service