Create a customer policy and a user, and then atach the policy to the user, and then create access key ID and secret access key to use only one S3 bucket.

aws-cli-iam-note.sh

# profile name "pn"
aws configure --profile pn
# Set access key id and secret access key of admin user
# Set default region (e.g. us-east-1)
# Set default format (e.g. json)

BUCKET_NAME=mybucketname

cat <<EOS > policydoc.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::${BUCKET_NAME}",
                "arn:aws:s3:::${BUCKET_NAME}/*"
            ]
        }
    ]
}
EOS

aws --profile pn --output text iam create-policy \
  --policy-name s3-bucket-${BUCKET_NAME}-full-access \
  --policy-document file://policydoc.json > output.txt
rm -f policydoc.json
POLICY_ARN=$(awk '{print $2}' output.txt)
rm -f output.txt

USER_NAME=s3-bucket-${BUCKET_NAME}-user
aws --profile pn iam create-user --user-name ${USER_NAME}

aws --profile pn iam attach-user-policy \
  --user-name ${USER_NAME} --policy-arn ${POLICY_ARN}

aws --profile pn --output text iam create-access-key \
  --user-name ${USER_NAME} > output.txt

ACCESS_KEY_ID=$(awk '{print $2}' output.txt)
SECRET_ACCESS_KEY=$(awk '{print $4}' output.txt)
rm -f output.txt

#### Usage example
# Heroku configuration
heroku config:set \
  AWS_ACCESS_KEY_ID=${ACCESS_KEY_ID} \
  AWS_SECRET_ACCESS_KEY=${SECRET_ACCESS_KEY}

# ref. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-s3