Creating credentials to access Amazon Keyspaces programmatically

To provide users and applications with credentials for programmatic access to Amazon Keyspaces resources, you can do either of the following:

Create service-specific credentials that are associated with a specific AWS Identity and Access Management (IAM) user.
Use an authentication plugin for temporary credentials. This plugin enables IAM users, roles, and federated identities to add authentication information to Amazon Keyspaces API requests using the AWS Signature Version 4 process (SigV4).

For code samples that show how to connect using the SigV4 authentication plugin, see Using a Cassandra client driver to access Amazon Keyspaces programmatically.

Topics

Generate service-specific credentials

Generate service-specific credentials

Service-specific credentials enable IAM users to access a specific AWS service. The credentials cannot be used to access other AWS services. They are associated with a specific IAM user and cannot be used by other IAM users.

Important

Service-specific credentials can only be used by IAM users. To give IAM roles or federated identities permissions to access your resources, you should use the authentication plugin to create temporary credentials.

Use one of the following procedures to generate a service-specific credential.

To generate service-specific credentials using the console

Sign in to the AWS Management Console and open the AWS Identity and Access Management console at https://console.aws.amazon.com/iam/home.
In the navigation pane, choose Users, and then choose the user that you created earlier that has Amazon Keyspaces permissions (policy attached).
Choose Security Credentials. Under Credentials for Amazon Keyspaces, choose Generate credentials to generate the service-specific credentials.

Your service-specific credentials are now available. This is the only time you can download or view the password. You cannot recover it later. However, you can reset your password at any time. Save the user and password in a secure location, because you'll need them later.

To generate service-specific credentials using the AWS CLI

Before generating service-specific credentials, you need to download, install, and configure the AWS Command Line Interface (AWS CLI):

Download the AWS CLI at http://aws.amazon.com/cli.

Note

The AWS CLI runs on Windows, macOS, or Linux.
Follow the instructions for Installing the AWS CLI and Configuring the AWS CLI in the AWS Command Line Interface User Guide.
Using the AWS CLI, run the following command to generate service-specific credentials for the user alice, so that she can access Amazon Keyspaces.
```
aws iam create-service-specific-credential \
    --user-name alice \
    --service-name cassandra.amazonaws.com
```

The output looks like the following.


{
    "ServiceSpecificCredential": {
        "CreateDate": "2019-10-09T16:12:04Z",
        "ServiceName": "cassandra.amazonaws.com",
        "ServiceUserName": "alice-at-111122223333",
        "ServicePassword": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "ServiceSpecificCredentialId": "ACCAYFI33SINPGJEBYESF",
        "UserName": "alice",
        "Status": "Active"
    }
}

In the output, note the values for ServiceUserName and ServicePassword. Save these values in a secure location, because you'll need them later.

Important

This is the only time that the ServicePassword will be available to you.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Connecting programmatically

Service endpoints