AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Managing Access Keys for IAM Users

Users need their own access keys to make programmatic calls to AWS using the AWS Command Line Interface (AWS CLI), the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.

When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user. To ensure the security of your AWS account, the secret access key is accessible only at the time you create it. If a secret access key is lost, you must delete the access key for the associated user and then create a new key.

By default, when you create an access key, its status is Active, which means the user can use the access key for API calls. Each user can have two active access keys, which is useful when you need to rotate the user's access keys. You can disable a user's access key, which means it can't be used for API calls. You might do this while you're rotating keys or to revoke API access for a user.

You can delete an access key at any time. However, when you delete an access key, it's gone forever and cannot be retrieved. (You can always create new keys.)

You can give your users permission to list, rotate, and manage their own keys. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.

For more information about the credentials used with AWS and IAM, see How Do I Get Credentials? in Using IAM, and Types of Security Credentials in the Amazon Web Services General Reference.

Creating, Modifying, and Viewing Access Keys (AWS Management Console)

To list a user's access keys

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users.

  3. Click the name of the user you want to list access keys for, then scroll down to the Security Credentials section. The user's access keys and the status of each key is displayed.

    Note

    Only the user's access key ID is visible. The secret access key can only be retrieved when creating the key.

To create, modify, or delete a user's access keys

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users.

  3. Click the name of the user you want to manage an access key for, then scroll down to the Security Credentials section.

  4. Click Manage Access Keys and do any of the following:

    • To create an access key, click Create Access Key and then click Download Credentials to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, click Close.

    • To disable an active access key, click Make Inactive.

    • To reenable an inactive access key, click Make Active.

    • To delete an access key, click Delete and then click Confirm.

Creating, Modifying, and Viewing Access Keys (AWS CLI and API)

To manage a user's access keys using the AWS CLI or the IAM API, use the following commands:

Rotating Access Keys (AWS CLI and API)

As a security best practice, we recommend that you, an administrator, regularly rotate (change) the access keys for IAM users in your account. If your users have the necessary permissions, they can rotate their own access keys. For information about how to give your users permissions to rotate their own access keys, see Allow Users to Manage Their Own Passwords and Access Keys.

You can also apply a password policy to your account to require all your IAM users to periodically rotate their passwords, and you can choose how often they must do so. For more information, see Setting an Account Password Policy for IAM Users.

Important

If you use the AWS account (root) credentials on a regular basis, we recommend that you also regularly rotate those. The account password policy does not apply to the AWS account credentials. IAM users cannot manage credentials for the AWS account, so you must use the AWS account's credentials (not a user's) to change the AWS account credentials. Note that we recommend against using the AWS account credentials for everyday work in AWS.

The following steps describe the general process for rotating an access key without interrupting your applications. These steps show the AWS CLI and IAM API commands for rotating access keys. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing Access Keys (AWS Management Console).

  1. While the first access key is still active, create a second access key, which will be active by default. At this point, the user has two active access keys.

    AWS CLI: aws iam create-access-key

    IAM API: CreateAccessKey

  2. Update all applications and tools to use the new access key.

  3. Determine if the first access key is still in use:

  4. When the first access key is no longer in use, change the state of the first access key to Inactive.

    AWS CLI: aws iam update-access-key

    IAM API: UpdateAccessKey

    If you need to, you can revert to using the first access key by switching its state back to Active.

  5. Using only the new access key, confirm that your applications are working.

  6. Delete the first access key.

    AWS CLI: aws iam delete-access-key

    IAM API: DeleteAccessKey

For more information, see the following: