Amazon Glacier
Developer Guide (API Version 2012-06-01)

Authentication and Access Control for Amazon Glacier

Access to Amazon Glacier requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an Amazon Glacier vault or an Amazon S3 bucket. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and Amazon Glacier to help secure your resources by controlling who can access them:


You can access AWS as any of the following types of identities:

  • AWS account root user – When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks..

  • IAM user – An IAM user is an identity within your AWS account that has specific custom permissions (for example, permissions to create a vault in Amazon Glacier). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the AWS Support Center.


    In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access AWS services programmatically, either through one of the several SDKs or by using the AWS Command Line Interface (CLI). The SDK and CLI tools use the access keys to cryptographically sign your request. If you don’t use AWS tools, you must sign the request yourself. Amazon Glacier supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the AWS General Reference.


  • IAM role – IAM roles with temporary credentials are useful in the following situations:


    • Federated user access



    • AWS service access


    • Applications running on Amazon EC2

Access Control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Amazon Glacier resources. For example, you must have permissions to create an Amazon Glacier vault.

The following sections describe how to manage permissions. We recommend that you read the overview first.