Accessing Timestream - Amazon Timestream

Accessing Timestream

You can access Timestream using the console, CLI or the API. Before accessing Timestream, you need to do the following:

  1. Sign up for AWS.

  2. Create an IAM user with Timestream access. For more information, see Create an IAM User with Timestream access.

  3. Get an AWS access key (not required for Console access).

  4. Configure your credentials (not required for Console access).

Signing Up for AWS

To use the Timestream service, you must have an AWS account. If you don't already have an account, you are prompted to create one when you sign up.

To sign up for AWS

  1. Open

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

Create an IAM User with Timestream access

When you signed up for AWS, you created an AWS account using an email address and password. Those are your AWS account root user credentials. As a best practice, you should not use your AWS account root user credentials to access AWS. Nor should you give your credentials to anyone else. Instead, create individual users for those who need access to your AWS account. Create an AWS Identity and Access Management (IAM) user for yourself also. Give that user administrative permissions, and use that IAM user for all your work. For information about how to do this, see Creating Your First IAM Admin User and Group in the IAM User Guide.

If you're an account owner or administrator and want to know more about IAM, see the product description at or the technical documentation in the IAM User Guide.

To create an administrator user for yourself and add the user to an administrators group (console)

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.


    We strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

  2. In the navigation pane, choose Users and then choose Add user.

  3. For User name, enter Administrator.

  4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.

  5. (Optional) By default, AWS requires the new user to create a new password when first signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

  6. Choose Next: Permissions.

  7. Under Set permissions, choose Add user to group.

  8. Choose Create group.

  9. In the Create group dialog box, for Group name enter Administrators.

  10. Choose Filter policies, and then select AWS managed - job function to filter the table contents.

  11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.


    You must activate IAM user and role access to Billing before you can use the AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.

  12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

  13. Choose Next: Tags.

  14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

  15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access management and Example policies.

Essentially, the permissions that are required to access Timestream are already granted to the administrator. For other users, you should grant them Timestream access using the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:*", "kms:DescribeKey", "kms:CreateGrant", "kms:Decrypt", "dbqms:CreateFavoriteQuery", "dbqms:DescribeFavoriteQueries", "dbqms:UpdateFavoriteQuery", "dbqms:DeleteFavoriteQueries", "dbqms:GetQueryString", "dbqms:CreateQueryHistory", "dbqms:UpdateQueryHistory", "dbqms:DeleteQueryHistory", "dbqms:DescribeQueryHistory", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }

Getting an AWS Access Key (not required for Console access)

Before you can access Timestream programmatically, you must have an AWS access key. You don't need an access key if you plan to use the Timestream console only.

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them from the AWS Management Console. As a best practice, do not use the AWS account root user access keys for any task where it's not required. Instead, create a new administrator IAM user with access keys for yourself.

The only time that you can view or download the secret access key is when you create the keys. You cannot recover them later. However, you can create new access keys at any time. You must also have permissions to perform the required IAM actions. For more information, see Permissions required to access IAM resources in the IAM User Guide.

To create access keys for an IAM user

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose access keys you want to create, and then choose the Security credentials tab.

  4. In the Access keys section, choose Create access key.

  5. To view the new access key pair, choose Show. You will not have access to the secret access key again after this dialog box closes. Your credentials will look something like this:


    • Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

  6. To download the key pair, choose Download .csv file. Store the keys in a secure location. You will not have access to the secret access key again after this dialog box closes.

    Keep the keys confidential in order to protect your AWS account and never email them. Do not share them outside your organization, even if an inquiry appears to come from AWS or No one who legitimately represents Amazon will ever ask you for your secret key.

  7. After you download the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.

Related topics

Configuring Your Credentials (not required for Console access)

Before you can access Timestream programmatically or through the AWS CLI, you must configure your credentials to enable authorization for your applications.

There are several ways to do this. For example, you can manually create the credentials file to store your AWS access key ID and secret access key. You can also use the aws configure command of the AWS CLI to automatically create the file. Alternatively, you can use environment variables.

To connect to Timestream with the AWS SDK for Java, you must provide AWS credentials. The Timestream Java client tries to find AWS credentials by using the default credential provider chain implemented by the DefaultAWSCredentialsProviderChain class. For more information about using the default credential provider chain, see Working with AWS Credentials in the AWS SDK for Java Developer Guide.

To install and configure the AWS CLI, see Accessing Amazon Timestream Using the AWS CLI .

You can access Timestream using the AWS Management Console, CLI, or the Timestream API.