Creating and deleting access keys for the AWS account root user - AWS Account Management

Creating and deleting access keys for the AWS account root user

Although we don't recommend it, you can create access keys for your root user so that you can run commands in the AWS Command Line Interface (AWS CLI) or use API operations from one of the AWS SDKs.

Creating access keys for the root user

You can use the AWS Management Console or AWS programming tools to create access keys for the root user.

AWS Management Console

To create an access key for the AWS account root user

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • You must sign in as the AWS account root user, which requires no additional AWS Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.

  1. Use your AWS account's email address and password to sign in to the AWS Management Console as your AWS account root user.

  2. Choose your account name in the navigation bar, and then choose My Security Credentials.

  3. If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  4. Expand the Access keys (access key ID and secret access key) section.

  5. Choose Create New Access Key. If this option is not available, then you already have the maximum number of access keys. You must delete one of the existing access keys before you can create a new key. For more information, see IAM Object Quotas in the IAM User Guide.

    A warning explains that you have only this one opportunity to view or download the secret access key. You can't retrieve it later.

    • If you choose Show Access Key, you can copy the access key ID and secret key from your browser window and paste it somewhere else.

    • If you choose Download Key File, you receive a file named rootkey.csv that contains the access key ID and the secret key. Save the file somewhere safe.

  6. When you no longer need the access key we recommend that you delete it, or at least mark it inactive by choosing Make Inactive so that no one can misuse it.

AWS CLI & SDKs

To create an access key for the root user

Note

To run the following command or API operation as the root user, you must already have one active access key pair. If you don't have any access keys, create the first access key using the AWS Management Console. Then, you can use the credentials from that first access key with the AWS CLI to create the second access key, or to delete an access key.

  • AWS CLI: aws iam create-access-key

    $ aws iam create-access-key { "AccessKey": { "UserName": "MyUserName", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "Status": "Active", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "CreateDate": "2021-04-08T19:30:16+00:00" } }
  • AWS API: CreateAccessKey

Deleting access keys for the root user

You can use the AWS Management Console to delete access keys for the root user. You can't use the AWS CLI or the AWS API to delete the root user access keys.

AWS Management Console

To delete an access key for the root user

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • You must sign in as the AWS account root user, which requires no additional AWS Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.

  1. Use your AWS account's email address and password to sign in to the AWS Management Console as your AWS account root user.

  2. Choose your account name in the navigation bar, and then choose My Security Credentials.

  3. If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  4. Expand the Access keys (access key ID and secret access key) section.

  5. Find the access key that you want to delete, and then, under the Actions column, choose Delete.

    Note

    You can mark an access key as inactive instead of deleting it. This way you can resume using it in the future without having to change either the key ID or secret key. While the key is inactive, any attempts to use it in requests to the AWS API fail with the error access denied.

AWS CLI & SDKs

To delete an access key for the root user

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • You must sign in as the AWS account root user, which requires no additional AWS Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.