How an IAM administrator can manage
IAM user access keys
IAM administrators can create, activate, deactivate, and delete the access keys
associated with individual IAM users. They can also list the IAM users in the account
which have access keys and locate which IAM user has a specific access key.
To create an access key for an
IAM user
Choose the tab for the procedure you want to follow to create an access
key:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users.
-
Choose the user name to go to the user details page.
-
On Security credentials tab, in
the Access keys section, choose Create
access key.
If the button is deactivated, then you must delete one of the
existing keys before you can create a new one.
-
On the Access key best practices &
alternatives page, review the best practices and
alternatives. Choose your use case to learn about additional options
which can help you avoid creating a long-term access key.
-
If you determine that your use case still requires an access key,
choose Other and then choose
Next.
-
On the Retrieve access key page, choose
Show to reveal the value of your user's secret
access key.
-
To save the access key ID and secret access key to a
.csv
file to a secure location on your
computer, choose the Download .csv file
button.
When you create an access key for your user, that key pair is active by
default, and your user can use the pair right away.
- AWS CLI
-
Run the following command:
- API
-
Call the following operation:
To deactivate an access key for an
IAM user
Choose the tab for the procedure you want to follow to deactivate an access
key:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users.
-
Choose the user name to go to the user details page.
-
On Security credentials tab, in
the Access keys section, choose the
Actions drop-down menu, then choose
Deactivate.
-
In the Deactivate dialog box, confirm that you
want to deactivate the access key by selecting
Deactivate
After an access key is deactivated, it can no longer be used by API
calls. You can activate it again if needed.
- AWS CLI
-
Run the following command:
- API
-
Call the following operation:
To activate an access key for an
IAM user
Choose the tab for the procedure you want to follow to activate an access
key:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users.
-
Choose the user name to go to the user details page.
-
On Security credentials tab, in
the Access keys section, choose the
Actions drop-down menu, then choose
Activate.
After an access key is activated, it can be used by API calls. You can
deactivate it again if needed.
- AWS CLI
-
Run the following command:
- API
-
Call the following operation:
To delete an access key for an
IAM user
After an access key has been deactivated, if it is no longer required, delete
it.
Choose the tab for the procedure you want to follow to delete an access
key:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users.
-
Choose the user name to go to the user details page.
-
On Security credentials tab, in
the Access keys section, choose the
Actions drop-down menu for the inactive access
key, then choose Delete.
-
In the Delete dialog box, confirm that you
want to delete the access key by entering the access key ID in the
text input field and then selecting
Delete.
After an access key is deleted, it can't be recovered.
- AWS CLI
-
Run the following command:
- API
-
Call the following operation:
To list the access keys for an
IAM user
You can view a list of the access key IDs associated with an IAM user.
Choose the tab for the procedure you want to follow to view the list of access
keys:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users.
-
Choose the user name to go to the user details page.
-
On Security credentials tab, the
the Access keys section lists the access keys for
the user.
Each IAM user can have two access keys.
- AWS CLI
-
Run the following command:
- API
-
Call the following operation:
To list the access keys for an
IAM user
You can view a list of the access key IDs associated with an IAM user.
Choose the tab for the procedure you want to follow to view the list of access
keys:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users.
-
Choose the user name to go to the user details page.
-
On Security credentials tab, the
the Access keys section lists the access key IDs
for the user including the status of each key displayed.
Only the user's access key ID is visible. The secret access key
can only be retrieved when the key is created.
Each IAM user can have two access keys.
- AWS CLI
-
Run the following command:
- API
-
Call the following operation:
To display all the access key IDs for users
in your account
You can view a list of the access key IDs for users in your AWS account.
Choose the tab for the procedure you want to follow to view the list of access
keys:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users.
-
Choose the user name to go to the user details page.
-
If necessary, add the Access key ID column to
the users table by completing the following steps:
-
Above the table on the far right, choose the
Preferences icon (
).
-
In the Preferences dialog box, under
Select visible columns turn on
Access key ID.
-
Choose Confirm to return to the list of
users. The list is updated to include the access key ID.
-
The Access key ID column shows the state of
each access key, followed by its ID; for example, Active -
AKIAIOSFODNN7EXAMPLE
or Inactive -
AKIAI44QH8DHBEXAMPLE
.
You can use this information to view and copy the access keys IDs
for users with one or two access keys. The column displays
-
for users with no access key.
The secret access key can only be retrieved when the key is
created.
Each IAM user can have two access keys.
To use an access key ID to find a
user
You can use an access key ID to find a user in your AWS account.
Choose the tab for the procedure you want to follow to find a user by access key
ID:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, in the search box, enter the
Access key ID, for example
AKIAI44QH8DHBEXAMPLE.
-
The IAM user that the access key ID is associated with appears in
the navigation pane. Choose the user name to go to the user details
page.
To find the most recent use of
an access key ID
The most recent use of an access key is displayed in the user's list on the
IAM users page, on the user detail page, and is part of the credential report.
Choose the tab for the procedure you want to follow to find the most recent use of
an access key:
- IAM console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In users list, see the Access key last used
column.
If the column is not displayed, choose the
Preferences icon (
) and under Select visible
columns turn on Access key last
used to display the column.
-
(optional) In the navigation pane, under Access
reports, select Credential report
to download a report that includes the access key last used
information for all of the IAM users in your account.
-
(optional) Select the IAM user to view the user details. The
Summary section includes the access key IDs,
their status, and when they were last used.
- AWS CLI
-
Run the following command:
- API
-
Call the following operation: