GetBucketAccessKeys - Amazon Lightsail


Returns the existing access key IDs for the specified Amazon Lightsail bucket.


This action does not return the secret access key value of an access key. You can get a secret access key only when you create it from the response of the CreateBucketAccessKey action. If you lose the secret access key, you must create a new access key.

Request Syntax

{ "bucketName": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


The name of the bucket for which to return access keys.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 54.

Pattern: ^[a-z0-9][a-z0-9-]{1,52}[a-z0-9]$

Required: Yes

Response Syntax

{ "accessKeys": [ { "accessKeyId": "string", "createdAt": number, "lastUsed": { "lastUsedDate": number, "region": "string", "serviceName": "string" }, "secretAccessKey": "string", "status": "string" } ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


An object that describes the access keys for the specified bucket.

Type: Array of AccessKey objects


For information about the errors that are common to all actions, see Common Errors.


Lightsail throws this exception when the user cannot be authenticated or uses invalid credentials to access a resource.

HTTP Status Code: 400


Lightsail throws this exception when user input does not conform to the validation rules of an input field.


Domain and distribution APIs are only available in the N. Virginia (us-east-1) AWS Region. Please set your AWS Region configuration to us-east-1 to create, view, or edit these resources.

HTTP Status Code: 400


Lightsail throws this exception when it cannot find a resource.

HTTP Status Code: 400


A general service exception.

HTTP Status Code: 500


Lightsail throws this exception when the user has not been authenticated.

HTTP Status Code: 400


In the following example or examples, the Authorization header contents (AUTHPARAMS) must be replaced with an AWS Signature Version 4 signature. For more information about creating these signatures, see Signature Version 4 Signing Process in the AWS General Reference.

You need to learn how to sign HTTP requests only if you intend to manually create them. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.

Get bucket access keys

The following example returns the access keys for the bucket named DOC-EXAMPLE-BUCKET. The example response shows that the bucket has one access key (i.e., AKIAZEXAMPLE12345PKWV).

Sample Request

POST / HTTP/1.1 Host: Accept-Encoding: identity X-Amz-Target: Lightsail_20161128.GetBucketAccessKeys Content-Type: application/x-amz-json-1.1 User-Agent: AGENT X-Amz-Date: 20210616T143306Z Authorization: AUTHPARAMS Content-Length: 49 {"bucketName": "DOC-EXAMPLE-BUCKET"}

Sample Response

HTTP/1.1 200 OK Server: Server Date: Wed, 16 Jun 2021 14:33:07 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 99 x-amzn-RequestId: faebc873-b9cd-4dd1-bd6d-caac46bd5a19 Connection: keep-alive { "accessKeys": [ { "accessKeyId": "AKIAZEXAMPLE12345PKWV", "createdAt": 1.619209369E9, "status": "Active" } ] }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: