Menu
AWS Identity and Access Management
IAM User Guide

Managing Access Keys for IAM Users

Note

If you found this topic because you are trying to configure the Product Advertising API to sell Amazon products on your web site, see these topics:

Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.

When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.

Important

To ensure the security of your AWS account, the secret access key is accessible only at the time you create it. If a secret access key is lost, you must delete the access key for the associated user and create a new key. For more details, see Retrieving Your IAM Access Keys.

By default, when you create an access key, its status is Active, which means the user can use the access key for AWS CLI, Tools for Windows PowerShell, and API calls. Each user can have two active access keys, which is useful when you must rotate the user's access keys. You can disable a user's access key, which means it can't be used for API calls. You might do this while you're rotating keys or to revoke API access for a user.

You can delete an access key at any time. However, when you delete an access key, it's gone forever and cannot be retrieved. (You can always create new keys.)

You can give your users permission to list, rotate, and manage their own keys. For more information, see Allow Users to Manage Their Own Passwords and Access Keys.

For more information about the credentials used with AWS and IAM, see Credentials (Passwords, Access Keys, and MFA devices), and Types of Security Credentials in the Amazon Web Services General Reference.

Creating, Modifying, and Viewing Access Keys (AWS Management Console)

You can use the AWS Management Console to manage the access keys of IAM users.

To list a user's access keys

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users.

  3. Click the name of the desired user, and then scroll down to the Security Credentials section. The user's access keys and the status of each key is displayed.

    Note

    Only the user's access key ID is visible. The secret access key can only be retrieved when creating the key.

To create, modify, or delete a user's access keys

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users.

  3. Click the name of the desired user, then scroll down to the Security Credentials section.

  4. If needed, expand the Access Keys section and do any of the following:

    • To create an access key, click Create Access Key and then click Download Credentials to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, click Close.

    • To disable an active access key, click Make Inactive.

    • To reenable an inactive access key, click Make Active.

    • To delete an access key, click Delete and then click Delete to confirm.

Creating, Modifying, and Viewing Access Keys (AWS CLI, Tools for Windows PowerShell, and AWS API)

To manage a user's access keys from the AWS CLI, Tools for Windows PowerShell, or the AWS API, use the following commands:

To create an access key

To disable or reenable an access key

To list a user's access keys

To determine when an access key was most recently used

To delete an access key

Rotating Access Keys (AWS CLI, Tools for Windows PowerShell, and AWS API)

As a security best practice, we recommend that you, an administrator, regularly rotate (change) the access keys for IAM users in your account. If your users have the necessary permissions, they can rotate their own access keys. For information about how to give your users permissions to rotate their own access keys, see Allow Users to Manage Their Own Passwords and Access Keys.

You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords,. You can choose how often they must do so. For more information, see Setting an Account Password Policy for IAM Users.

Important

If you regularly use the AWS root account credentials, we recommend that you also regularly rotate them. The account password policy does not apply to the AWS root account credentials. IAM users cannot manage credentials for the AWS root account, so you must use the AWS root account's credentials (not a user's) to change the AWS root account credentials. Note that we recommend against using the AWS root account for everyday work in AWS.

The following steps describe the general process for rotating an access key without interrupting your applications. These steps show the AWS CLI, Tools for Windows PowerShell and AWS API commands for rotating access keys. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing Access Keys (AWS Management Console), in the section above.

  1. While the first access key is still active, create a second access key, which will be active by default. At this point, the user has two active access keys.

  2. Update all applications and tools to use the new access key.

  3. Determine if the first access key is still in use:

    One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive.

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to re-enable the first access key. Then return to step 2 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key.

For more information, see the following: