AWS SDK for Java
Developer Guide

Managing IAM Access Keys

Important

This is a preview release and is not recommended for production environments.

Creating an Access Key

To create an IAM access key, call the IamClient's createAccessKey method with a CreateAccessKeyRequest object.

Note

You must set the region to AWS_GLOBAL for IamClient calls to work because IAM is a global service.

Imports

import software.amazon.awssdk.services.iam.model.CreateAccessKeyRequest; import software.amazon.awssdk.services.iam.model.CreateAccessKeyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); CreateAccessKeyRequest request = CreateAccessKeyRequest.builder() .userName(user).build(); CreateAccessKeyResponse response = iam.createAccessKey(request);

See the complete example on GitHub.

Listing Access Keys

To list the access keys for a given user, create a ListAccessKeysRequest object that contains the user name to list keys for, and pass it to the IamClient's listAccessKeys method.

Note

If you do not supply a user name to listAccessKeys, it will attempt to list access keys associated with the AWS account that signed the request.

Imports

import software.amazon.awssdk.services.iam.model.AccessKeyMetadata; import software.amazon.awssdk.services.iam.model.ListAccessKeysRequest; import software.amazon.awssdk.services.iam.model.ListAccessKeysResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); boolean done = false; String new_marker = null; while (!done) { ListAccessKeysResponse response; if(new_marker == null) { ListAccessKeysRequest request = ListAccessKeysRequest.builder() .userName(username).build(); response = iam.listAccessKeys(request); } else { ListAccessKeysRequest request = ListAccessKeysRequest.builder() .userName(username) .marker(new_marker).build(); response = iam.listAccessKeys(request); } for (AccessKeyMetadata metadata : response.accessKeyMetadata()) { System.out.format("Retrieved access key %s", metadata.accessKeyId()); } if (!response.isTruncated()) { done = true; } else { new_marker = response.marker(); } }

The results of listAccessKeys are paged (with a default maximum of 100 records per call). You can call isTruncated on the returned ListAccessKeysResponse object to see if the query returned fewer results then are available. If so, then call marker on the ListAccessKeysResponse and use it when creating a new request. Use that new request in the next invocation of listAccessKeys.

See the complete example on GitHub.

Retrieving an Access Key's Last Used Time

To get the time an access key was last used, call the IamClient's getAccessKeyLastUsed method with the access key's ID (which can be passed in using a GetAccessKeyLastUsedRequest object.

You can then use the returned GetAccessKeyLastUsedResponse object to retrieve the key's last used time.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.GetAccessKeyLastUsedRequest; import software.amazon.awssdk.services.iam.model.GetAccessKeyLastUsedResponse;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); GetAccessKeyLastUsedRequest request = GetAccessKeyLastUsedRequest.builder() .accessKeyId(access_id).build(); GetAccessKeyLastUsedResponse response = iam.getAccessKeyLastUsed(request); System.out.println("Access key was last used at: " + response.accessKeyLastUsed().lastUsedDate());

See the complete example on GitHub.

Activating or Deactivating Access Keys

You can activate or deactivate an access key by creating an UpdateAccessKeyRequest object, providing the access key ID, optionally the user name, and the desired status, then passing the request object to the IamClient's updateAccessKey method.

Imports

import software.amazon.awssdk.services.iam.model.StatusType; import software.amazon.awssdk.services.iam.model.UpdateAccessKeyRequest; import software.amazon.awssdk.services.iam.model.UpdateAccessKeyResponse; import software.amazon.awssdk.regions.Region;

Code

String username = args[0]; String access_id = args[1]; String status = args[2]; StatusType statusType; if (status.toLowerCase().equalsIgnoreCase("active")) { statusType = StatusType.ACTIVE; } else if (status.toLowerCase().equalsIgnoreCase("inactive")) { statusType = StatusType.INACTIVE; } else { statusType = StatusType.UNKNOWN_TO_SDK_VERSION; } Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); UpdateAccessKeyRequest request = UpdateAccessKeyRequest.builder() .accessKeyId(access_id) .userName(username) .status(statusType) .build(); UpdateAccessKeyResponse response = iam.updateAccessKey(request);

See the complete example on GitHub.

Deleting an Access Key

To permanently delete an access key, call the IamClient's deleteKey method, providing it with a DeleteAccessKeyRequest containing the access key's ID and username.

Note

Once deleted, a key can no longer be retrieved or used. To temporarily deactivate a key so that it can be activated again later, use updateAccessKey method instead.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.DeleteAccessKeyRequest; import software.amazon.awssdk.services.iam.model.DeleteAccessKeyResponse;

Code

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder() .accessKeyId(access_key) .userName(username).build(); DeleteAccessKeyResponse response = iam.deleteAccessKey(request);

See the complete example on GitHub.

More Information