If the third party has their own IAM users, you can create a cross-account trust relationship where you allow their IAM entity to assume a (scoped-down) role in your account. Then they are able to retrieve temporary credentials to assume this role.
One reason people don't like doing this is that by assuming this role you lose all the privileges in your own account. It's not something you can't overcome (e.g. by using separate credential chains in different parts of the app), but people are lazy.
You don't 'lose' anything, you gain a second set of creds that have an independent lifecycle. The only time this is awkward is if you're using the web console b/c you need to keep going through the assume role/return links.
That's what I meant, but admittedly I communicated it poorly - you need to reconfigure various bits of the code to use this credentials chain, which can sometimes not be supported by poorly written tools.
Not to mention you can just use a new --profile for that session and switch between them with a single argument or environment variable. I don't think it's possible to get easier than that :)
