The following sections give basic information about authentication and the identifiers AWS uses.
What Is Authentication?
Authentication is a process for identifying and verifying who is sending a request. The following diagram shows a simplified version of an authentication process.
General Process of Authentication
The sender obtains the necessary credential.
The sender sends a request with the credential to the recipient.
The recipient uses the credential to verify the sender truly sent the request.
If yes, the recipient processes the request. If no, the recipient rejects the request and responds accordingly.
During authentication, AWS verifies both the identity of the sender and whether the sender is registered to use services offered by AWS. If either test fails, the request is not processed further.
For further discussion of authentication, go to the techencylopedia.com entry for authentication. For definitions of common industry terms related to authentication, go to the RSA Laboratories Glossary.
Your AWS Account
To access any web services offered by AWS, you must first create an AWS account at http://aws.amazon.com. An AWS account is simply an Amazon.com account that is enabled to use AWS products; you can use an existing Amazon.com account login and password when creating the AWS account.
Alternately, you could create a new AWS-enabled Amazon.com account by using a new login and password. The e-mail address you provide as the account login must be valid. You'll be asked to provide a credit card or other payment method to cover the charges for any AWS products you use.
From your AWS account you can view your AWS account activity, view usage reports, and manage your AWS account access identifiers.
Your AWS Access Credentials
When you create an AWS account, AWS assigns you a pair of related identifiers:
Access Key ID (a 20-character, alphanumeric sequence)
For example: AKIAIOSFODNN7EXAMPLE
Secret Access Key (a 40-character sequence)
For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
These are your AWS access key identifiers.
Your Secret Access Key is a secret and only you and AWS should know it. It is important to keep it confidential to protect your account. Store it securely in a safe place. Never include it in your requests to AWS, and never e-mail it to anyone. Do not share it outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your Secret Access Key.
The Access Key ID is associated with your AWS account. You include it in authenticated REST-Query requests to identify yourself as the sender of the request.
The Access Key ID is not a secret, and anyone could use your Access Key ID in requests to AWS. To provide proof that you truly are the sender of the request, you must also include a digital signature. For authenticated REST-Query requests, you calculate the signature using your Secret Access Key. AWS uses the Access Key ID in the request to look up your Secret Access Key and then calculates a digital signature with the key. If the signature AWS calculates matches the signature you sent, the request is considered authentic. Otherwise, the request fails authentication and is not processed.
Viewing Your AWS Access Credentials
Your Access Key ID and Secret Access Key are displayed to you when you create your AWS account. They are not e-mailed to you. If you need to see them again, you can view them at any time from your AWS account.
To get your AWS access credentials
Go to the Amazon Web Services web site at http://aws.amazon.com.
Point to Your Account and click Security Credentials.
Log in to your AWS account.
Your Access Key ID is displayed in the Access Credentials section of the resulting page (following is an example).
To display your Secret Access Key, click Show.