Amazon Web Services
General Reference (Version 1.0)

Managing Access Keys for Your AWS Account Root User

We strongly recommend that you do not use the AWS account root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User.

You can create, rotate, disable, or delete access keys (access key IDs and secret access keys) for your AWS account root user. Anyone who has root user access keys for your AWS account has unrestricted access to all the resources in your account, including billing information.

When you create access keys, you create the access key ID and secret access key as a set. During access key creation, AWS gives you one opportunity to view and download the secret access key part of the access key. If you don't download it or if you lose it, you can delete the access key and then create a new one. You can create IAM user access keys with the IAM console, AWS CLI, or AWS API. For more information, see Managing Access Keys for IAM Users in the IAM User Guide. To create access keys for your AWS account root user, you must use the AWS Management Console.

A newly created access key has the status of active, which means that you can use the access key for CLI and API calls. You are limited to two access keys for each IAM user, which is useful when you want to rotate the access keys. You can also assign up to two access keys to the root user. When you disable an access key, you can't use it for API calls, and inactive keys do count toward your limit. You can create or delete an access key any time. However, when you delete an access key, it's gone forever and can't be retrieved.

Creating, Disabling, and Deleting Access Keys for Your AWS Account Root User

Follow these steps to manage access keys for your AWS account. For information about managing access keys for IAM users, see Managing Access Keys for IAM Users in the IAM User Guide.

To create, disable, or delete an access key for your AWS account root user

  1. Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.

    Note

    If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, choose Sign-in using root user credentials near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account email address and password.

  2. Choose your account name in the navigation bar, and then choose My Security Credentials.

  3. If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  4. Expand the Access keys (access key ID and secret access key) section.

  5. Then do any of the following:

    To create an access key

    Choose Create New Access Key. If this feature is disabled, then you must delete one of the existing access keys before you can create a new key. For more information, see IAM Entity Object Limits in the IAM User Guide.

    A warning explains that you have only this one opportunity to view or download the secret access key. It cannot be retrieved later.

    • Choose Show Access Key to copy the access key ID and secret key from your browser window and paste it somewhere else.

    • Choose Download Key File to download the rootkey.csv file that contains the access key ID and the secret key. Save the file somewhere safe.

    To disable an existing access key

    Choose Make Inactive next to the access key that you are disabling. To reenable an inactive access key, choose Make Active.

    To delete an existing access key

    Before you delete an access key, make sure it's no longer in use. For more information, see Finding unused access keys in the IAM User Guide. You can't recover an access key after deleting it. To delete your access key, choose Delete next to the access key that you you want to delete.