AWS CloudFormation
User Guide (Version )


Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users.

For information about limits on the number of keys you can create, see Limitations on IAM Entities in the IAM User Guide.


To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::IAM::AccessKey", "Properties" : { "Serial" : Integer, "Status" : String, "UserName" : String } }


Type: AWS::IAM::AccessKey Properties: Serial: Integer Status: String UserName: String



This value is specific to CloudFormation and can only be incremented. Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.

Required: No

Type: Integer

Update requires: Replacement


The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.

Required: No

Type: String

Allowed Values: Active | Inactive

Update requires: No interruption


The name of the IAM user that the new key will belong to.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: [\w+=,.@-]+

Update requires: Replacement

Return Values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the AccessKeyId. For example: AKIAIOSFODNN7EXAMPLE.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


Returns the secret access key for the specified AWS::IAM::AccessKey resource. For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY.

See Also