Authentication - AWS Secrets Manager


AWS defines authentication as the process of establishing an identity representing you in the services you access. Typically, an administrator assigns an identity to you, and you access the identity by providing credentials with your request, such as a user name and password—or by encrypting your request with an AWS access key.

AWS supports the following types of identities:

  • AWS account root user – When you sign up for AWS, you provide an email address and password for your AWS account. AWS uses this information as the credentials for your account root user, and provides complete access to all of your AWS resources.


    For security reasons, we recommend you use the root user credentials only to create an administrator user, an IAM user with full permissions to your AWS account. Then you can use this administrator user to create other IAM users and roles with limited, specific permissions for a job or role. For more information, see Create Individual IAM Users (IAM Best Practices) and Creating An Admin User and Group in the IAM User Guide.

  • IAM userIAM user has an identity within your AWS account with specific permissions, for example, accessing a Secrets Manager secret. You can use an IAM user name and password to sign in to secure AWS web pages such as the AWS Management Console, AWS Discussion Forums, or the AWS Support Center.

    In addition to a user name and password, you can also create access keys for each user to enable t access to AWS services programmatically, through one of the AWS SDKsor the command line tools. The SDKs and command line tools use the access keys to cryptographically sign API requests. If you don't use the AWS tools, you must sign API requests yourself. AWS KMS supports Signature Version 4, an AWS protocol for authenticating API requests. For more information about authenticating API requests, see Signature Version 4 Signing Process in the AWS General Reference.

  • IAM role – You can create an IAM role in your account with specific permissions. Similar to an IAM user, the IAM role does not associate with a specific person. An IAM role enables you to obtain temporary access keys to access AWS services and resources programmatically. AWS roles become useful in the following situations:

    • Federated user access – Instead of creating an IAM user, you can use pre-existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider (IdP). These are known as federated users. Identity providers associate IAM roles with federated users.. For more information about federated users, see Federated Users and Roles in the IAM User Guide.

    • Cross-account access – You can use an IAM role in your AWS account to allow another AWS account permission to access your account resources. For an example, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide.

    • AWS service access – You can use an IAM role in your account to grant an AWS service permission to access your account resources. For example, you can create a role that allows Amazon Redshift to access an S3 bucket on your behalf, and then load data stored in the S3 bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

    • Applications running on EC2 instances – Instead of storing access keys on an EC2 instance, for use by applications running on the instance and sending AWS API requests, you can use an IAM role to provide temporary access keys for these applications. To assign an IAM role to an EC2 instance, you create an instance profile, and then attach the profile when you launch the instance. An instance profile contains the IAM role, and enables applications running on the EC2 instance to obtain temporary access keys. For more information, see Using Roles for Applications on Amazon EC2 in the IAM User Guide.

After you sign in with an identity, you then use access control and authorization, to establish tasks you, through your identity, can perform.