Understanding and getting your AWS credentials
AWS requires different types of security credentials depending on how you access AWS. For example, you need a user name and password to sign in to the AWS Management Console and you need access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.
Considerations
-
Be sure to save the following in a secure location: the email address associated with your AWS account, the AWS account ID, the root user password, and your account access keys. If you forget or lose your root user password, you must have access to the email address associated with your account in order to reset it. If you forget or lose your access keys, you must sign into your account to create new ones.
-
We strongly recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the password and access keys for the root user. Use the root user only for the tasks that are restricted to the root user.
-
Security credentials are account-specific. If you have access to multiple AWS accounts, you have separate credentials for each account.
-
Do not provide your AWS credentials to a third party.
Credentials
Console access
There are two different types of users in AWS. You are either the account owner (root user) or you are an AWS Identity and Access Management (IAM) user. How you sign in to the AWS Management Console depends on whether you are the root user or an IAM user.
Contents
Root user email address and password
When you first create an AWS account, you specify an email address for the account
and a password for the root user. To sign in to your AWS account as the root user, you provide
this email address and password. The root user can sign in to the AWS Management Console and change the
account name, email address, and password using the Security Credentials
IAM user name and password
IAM users are created by the root user or an IAM administrator within the AWS account.
The user who created your IAM user should provide you with either the account alias or
12-digit AWS account ID, the IAM user name, and the password for the IAM user. An
IAM user can sign in using either the console sign-in page or the following sign-in URL,
replacing account_id_or_alias
with either the account alias
or AWS account ID provided to you:
https://
account_id_or_alias
.signin.aws.amazon.com/console/
If you forget the password for your IAM user, contact your IAM administrator or
the account owner. If your IAM administrator gave you permissions to manage your own
AWS credentials, then you can change your password periodically, which is a security
best practice, using the Security Credentials
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) provides an extra level of security that you can apply to your AWS account. For additional security, we recommend that you require MFA on the AWS account root user credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.
With MFA enabled, when you sign in to your AWS account, you are prompted for your user name and password, plus an authentication code from an MFA device. Adding MFA provides increased security for your AWS account settings and resources.
By default, MFA (multi-factor authentication) is not enabled. You can enable and manage
MFA devices for the AWS account root user by going to the Security Credentials
Programmatic access
You must provide your AWS access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.
When you create your access keys, you create the access key ID (for example,
AKIAIOSFODNN7EXAMPLE
) and secret access key (for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
) as a set. The secret access key is available for
download only when you create it. If you don't download your secret access key or
if you lose it, you must create a new one.
You can assign up to two access keys per user (root user or IAM user). Having two access keys is useful when you want to rotate them. When you disable an access key, you can't use it, but it counts toward your limit of two access keys. After you delete an access key, it's gone forever and can't be restored, but it can be replaced with a new access key.
To manage access keys when signed in as the root user
-
Sign in to the AWS Management Console as the root user. For more information, see Sign in as the root user in the IAM User Guide.
-
In the navigation bar on the upper right, choose your account name or number and then choose My Security Credentials.
-
Expand the Access keys (access key ID and secret access key) section.
-
Do one of the following:
-
To create an access key, choose Create New Access Key. If you already have two access keys, this button is disabled and you must delete an access key before you can create a new one. When prompted, choose either Show Access Key or Download Key File. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, chose Close.
-
To deactivate an access key, choose Make Inactive. When prompted for confirmation, choose Deactivate. A deactivated access key still counts toward your limit of two access keys.
-
To activate an access key, choose Make Active.
-
To delete an access key when you no longer need it, copy the access key ID and then choose Delete. Before you can delete the access key, you must choose Deactivate. We recommend that you verify that the access key is no longer in use before you permanently delete it. To confirm deletion, paste the access key ID in the text input field and then choose Delete.
-
To manage access keys when signed in as an IAM user
-
Sign in to the AWS Management Console as an IAM user. For more information, see Sign in as an IAM user in the IAM User Guide.
-
In the navigation bar on the upper right, choose your user name and then choose My Security Credentials.
Tip If you do not see the My Security Credentials page, you might be signed in as a federated user, not an IAM user. You can create and use temporary access keys instead.
-
Do one of the following:
-
To create an access key, choose Create access key. If you already have two access keys, this button is disabled and you must delete an access key before you can create a new one. When prompted, choose either Show secret access key or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, chose Close.
-
To deactivate an access key, choose Make inactive. When prompted for confirmation, choose Deactivate. A deactivated access key still counts toward your limit of two access keys.
-
To activate an access key, choose Make active. When prompted for confirmation, choose Make active.
-
To delete an access key when you no longer need it, copy the access key ID and then choose Delete. This deactivates the access key. We recommend that you verify that the access key is no longer in use before you permanently delete it. To confirm deletion, paste the access key ID in the text input field and then choose Delete.
-
Externally authenticated users (identity federation)
Your users might already have identities outside of AWS, such as in your corporate directory. If those users need to work with AWS resources (or work with applications that access those resources), then those users also need AWS security credentials. You can use an IAM role to specify permissions for users whose identity is federated from your organization or a third-party identity provider (IdP). For more information, see Providing access to externally authenticated users (identity federation) in the IAM User Guide.
Temporary access keys
You can also create and use temporary access keys, known as temporary security
credentials. In addition to the access key ID and secret access key, temporary
security credentials include a security token that you must send to AWS when you use
temporary security credentials. The advantage of temporary security credentials is that
they are short term. After they expire, they're no longer valid. You can use temporary
access keys in less secure environments or distribute them to grant users temporary access
to resources in your AWS account. For example, you can grant entities from other AWS
accounts access to resources in your AWS account (cross-account access). You can also
grant users who don't have AWS security credentials access to resources in your AWS
account (federation). For more information, see aws sts assume-role
.