Menu
AWS Identity and Access Management
User Guide

Managing Access Keys for IAM Users

Note

If you found this topic because you are trying to configure the Product Advertising API to sell Amazon products on your website, see these topics:

Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.

When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.

Important

To ensure the security of your AWS account, the secret access key is accessible only at the time you create it. If a secret access key is lost, you must delete the access key for the associated user and create a new key. For more details, see Retrieving Your Lost or Forgotten Passwords or Access Keys.

By default, when you create an access key, its status is Active, which means the user can use the access key for AWS CLI, Tools for Windows PowerShell, and API calls. Each user can have two active access keys, which is useful when you must rotate the user's access keys. You can disable a user's access key, which means it can't be used for API calls. You might do this while you're rotating keys or to revoke API access for a user.

You can delete an access key at any time. However, when you delete an access key, it's gone forever and cannot be retrieved. (You can always create new keys.)

You can give your users permission to list, rotate, and manage their own keys. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

For more information about the credentials used with AWS and IAM, see Temporary Security Credentials, and Types of Security Credentials in the Amazon Web Services General Reference.

Creating, Modifying, and Viewing Access Keys (Console)

You can use the AWS Management Console to manage the access keys of IAM users.

To list the access key IDs for multiple users

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. If necessary, add the Access key ID column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( 
                  Settings icon
                ).

    2. In Manage Columns, select Access key ID.

    3. Choose Close to return to the list of users.

  4. The Access key ID column includes the access key IDs. You can use this information to view and copy the access keys for users with one or two access keys. The column also shows whether the access key is (Active) or (Inactive). The column displays None for users with no access key.

    Note

    Only the user's access key ID and status is visible. The secret access key can only be retrieved when the key is created.

To find which user owns a specific access key

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. In the search box, type or paste the access key ID of the user you want to find.

  4. If necessary, add the Access key ID column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( 
                  Settings icon
                ).

    2. In Manage Columns, select Access key ID.

    3. Choose Close to return to the list of users and confirm that the filtered user owns the specified access key.

To list a user's access keys

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the intended user, and then choose the Security Credentials tab. The user's access keys and the status of each key is displayed.

    Note

    Only the user's access key ID is visible. The secret access key can only be retrieved when the key is created.

To create, modify, or delete a user's access keys

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the desired user, and then choose the Security Credentials tab.

  4. If needed, expand the Access Keys section and do any of the following:

    • To create an access key, choose Create Access Key. Then choose Download Credentials to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, choose Close.

    • To disable an active access key, choose Make Inactive.

    • To reenable an inactive access key, choose Make Active.

    • To delete an access key, choose Delete and then choose Delete to confirm.

Creating, Modifying, and Viewing Access Keys (API, CLI, PowerShell)

To manage a user's access keys from the AWS CLI, Tools for Windows PowerShell, or the AWS API, use the following commands:

To create an access key

To disable or reenable an access key

To list a user's access keys

To determine when an access key was most recently used

To delete an access key

Rotating Access Keys

As a security best practice, we recommend that you, an administrator, regularly rotate (change) the access keys for IAM users in your account. If your users have the necessary permissions, they can rotate their own access keys. For information about how to give your users permissions to rotate their own access keys, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.

You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords. You can choose how often they must do so. For more information, see Setting an Account Password Policy for IAM Users.

Important

If you use the AWS account root user credentials, we recommend that you also regularly rotate them. The account password policy does not apply to the root user credentials. IAM users cannot manage credentials for the AWS account root user, so you must use the root user credentials (not a user's) to change the root user credentials. Note that we recommend against using the root user for everyday work in AWS.

To determine when access keys needs rotating (console)

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. If necessary, add the Access key age column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( 
                  Settings icon
                ).

    2. In Manage Columns, select Access key age.

    3. Choose Close to return to the list of users.

  4. The Access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that need rotating. The column displays None for users with no access key.

To rotate access keys without interrupting your applications (console)

The following steps describe the general process for rotating an access key without interrupting your applications. These steps show the AWS CLI, Tools for Windows PowerShell and AWS API commands for rotating access keys. You can also perform these tasks using the console; for details, see Creating, Modifying, and Viewing Access Keys (Console), in the section above.

  1. While the first access key is still active, create a second access key, which is active by default. At this point, the user has two active access keys.

    1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, choose Users.

    3. Choose the name of the intended user, and then choose the Security Credentials tab.

    4. Choose Create Access Key and then choose Download Credentials to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the .csv file, choose Close.

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if the Last used column value indicates that the old key has never been used, we recommend that you do not immediately delete the first access key. Instead, choose Make inactive to deactivate the first access key.

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can choose Make active to reenable the first access key. Then return to Step 3 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:

    1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, choose Users.

    3. Choose the name of the intended user, and then choose the Security Credentials tab.

    4. Choose Create Access Key, choose Delete, and then choose Delete to confirm.

To rotate access keys without interrupting your applications (API, CLI, PowerShell)

  1. While the first access key is still active, create a second access key, which is active by default. At this point, the user has two active access keys.

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use:

    One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive.

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key.

For more information, see the following: