Dev vs Prod S3 Authentication Strategy (Static Keys vs IAM/IRSA)

[capitansec]

Hi everyone,

I’m using RustFS as an S3-compatible service in my dev (on-prem k3s) environment.
In production, I’m using AWS S3 on AWS.

In dev, I can authenticate using access_key / secret_key without issues. However, in production I plan to use IAM-based access (e.g. IRSA on EKS), where the pod assumes a role and writes to S3 without static credentials.My question is mainly about application design and environment consistency:

• In dev, the application requires explicit credentials (access key / secret key).
• In prod, the application does not require static credentials because the cloud provider injects permissions via IAM/IRSA.

This means the runtime credential model differs between environments. From an application development perspective:

What is the recommended pattern for handling this cleanly?

Should the application:

• Always rely on the AWS SDK default credential chain?
• Be designed to support both static credentials and role-based authentication transparently?
• Or is there a preferred approach when working with S3-compatible services like RustFS in dev and AWS S3 with IAM in prod?

I’d appreciate any guidance or best practices on how to keep the environments conceptually aligned while using different authentication mechanisms underneath.

Thanks in advance!