Managing IAM Access Keys

Users need their own access keys to make programmatic calls to AWS. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users. By default, when you create an access key, its status is Active, which means the user can use the access key for API calls.

The examples below show how to:

  • Create a secret access key and corresponding access key ID using CreateAccessKey.
  • Return information about the access key IDs associated with an IAM user using ListAccessKeys.
  • Retrieve information about when an access key was last used using GetAccessKeyLastUsed.
  • Change the status of an access key from Active to Inactive, or vice versa, using UpdateAccessKey.
  • Delete an access key pair associated with an IAM user using DeleteAccessKey.

All the example code for the AWS SDK for PHP is available here on GitHub.

Credentials

Before running the example code, configure your AWS credentials, as described in Credentials.

Create an Access Key

require 'vendor/autoload.php';
use Aws\Iam\IamClient;
use Aws\Exception\AwsException;

$client = new IamClient([
    'profile' => 'default',
    'region' => 'us-west-2',
    'version' => '2010-05-08'
]);
try {
    $result = $client->createAccessKey([
        'UserName' => 'IAM_USER_NAME',
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    error_log($e->getMessage());
}

List Access Keys

require 'vendor/autoload.php';
use Aws\Iam\IamClient;
use Aws\Exception\AwsException;

$client = new IamClient([
    'profile' => 'default',
    'region' => 'us-west-2',
    'version' => '2010-05-08'
]);
try {
    $result = $client->listAccessKeys();
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    error_log($e->getMessage());
}

Get Info about Access Key's Last Usage

require 'vendor/autoload.php';
use Aws\Iam\IamClient;
use Aws\Exception\AwsException;

$client = new IamClient([
    'profile' => 'default',
    'region' => 'us-west-2',
    'version' => '2010-05-08'
]);
try {
    $result = $client->getAccessKeyLastUsed([
        'AccessKeyId' => 'ACCESS_KEY_ID', // REQUIRED
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    error_log($e->getMessage());
}

Update an Access Key

require 'vendor/autoload.php';
use Aws\Iam\IamClient;
use Aws\Exception\AwsException;

$client = new IamClient([
    'profile' => 'default',
    'region' => 'us-west-2',
    'version' => '2010-05-08'
]);
try {
    $result = $client->updateAccessKey([
        'AccessKeyId' => 'ACCESS_KEY_ID', // REQUIRED
        'Status' => 'Inactive', // REQUIRED
        'UserName' => 'IAM_USER_NAME',
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    error_log($e->getMessage());
}

Delete an Access Key

require 'vendor/autoload.php';
use Aws\Iam\IamClient;
use Aws\Exception\AwsException;

$client = new IamClient([
    'profile' => 'default',
    'region' => 'us-west-2',
    'version' => '2010-05-08'
]);
try {
    $result = $client->deleteAccessKey([
        'AccessKeyId' => 'ACCESS_KEY_ID', // REQUIRED
        'UserName' => 'IAM_USER_NAME',
    ]);
    var_dump($result);
} catch (AwsException $e) {
    // output error message if fails
    error_log($e->getMessage());
}