docs.aws.amazon.com
Open in
urlscan Pro
18.244.18.58
Public Scan
URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
Submission: On October 29 via api from KR — Scanned from DE
Submission: On October 29 via api from KR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Identity and Access Management
5. User Guide
Feedback
Preferences
AWS IDENTITY AND ACCESS MANAGEMENT
USER GUIDE
* What is IAM?
* Why should I use IAM?
* When do I use IAM?
* How do I manage IAM?
* How IAM works
* Compare IAM identities and credentials
* How permissions and policies provide access management
* Define permissions with ABAC authorization
* Getting started
* Setting up your AWS account
* Initial IAM set up
* Viewing your AWS account ID
* Using an alias for your AWS account ID
* Creating an account alias
* Deleting an account alias
* Plan access to your AWS account
* Use cases for IAM users
* Create an IAM user for emergency access
* Create an IAM user for workloads
* Add multi-factor authentication for your identities
* Prepare for least-privilege permissions
* Reviewing last accessed information for your AWS account
* Generating a policy based on access activity
* Using search to find IAM resources
* Security best practices and use cases
* Security best practices
* Root user best practices
* Business use cases
* Tutorials
* Delegate access across AWS accounts using roles
* Create a customer managed policy
* Use attribute-based access control (ABAC)
* Use SAML session tags for ABAC
* Permit users to manage their credentials and MFA settings
* Identities
* AWS account root user
* MFA for the root user
* Enable a passkey or security key
* Enable a virtual MFA device
* Enable a hardware TOTP token
* Change the password
* Reset a lost or forgotten root user password
* Create access keys for the root user
* Delete access keys for the root user
* Users
* How IAM users sign in to AWS
* MFA enabled sign-in
* Create a user
* View IAM users
* Rename a user
* Remove a user
* Control user access to the console
* Change user permissions
* Manage passwords
* Set a password policy
* Manage user passwords
* Permit IAM users to change their own passwords
* How an IAM user changes their own password
* Manage access keys
* Permissions required to manage access keys
* How IAM users can manage their own access keys
* How an IAM administrator can manage IAM user access keys
* Update access keys
* Secure access keys
* Use IAM with Amazon Keyspaces
* Multi-factor authentication
* Assign a passkey or security key
* Supported configurations for using passkeys and security keys
* Assign a virtual MFA device
* Assign a hardware TOTP token
* Assign MFA devices in the AWS CLI or AWS API
* Check MFA status
* Resynchronize virtual and hardware MFA devices
* Deactivate an MFA device
* Recover an MFA protected identity
* Secure API access with MFA
* Sample code: MFA
* Find unused credentials
* Generate credential reports
* IAM credentials for CodeCommit
* Manage server certificates
* User groups
* Create IAM groups
* View IAM groups
* Edit users in IAM groups
* Attach a policy to a user group
* Rename a user group
* Delete a user group
* Roles
* The confused deputy problem
* Common scenarios
* Access across AWS accounts
* Access for non AWS workloads
* Access to third-party AWS accounts
* Access to AWS services
* Access through identity federation
* Role creation
* Create a role for an IAM user
* Create a role for an AWS service
* Create a service-linked role
* Create a role for identity federation
* Create a role for OIDC federation
* Create a role for SAML 2.0 federation
* Create a role using custom trust policies
* Examples of policies for delegating access
* Role management
* Grant permissions to switch roles
* Grant permissions to pass a role to a service
* Revoke role temporary credentials
* Update a service-linked role
* Update a role trust policy
* Update role permissions
* Update role settings
* Delete roles or instance profiles
* Methods to assume a role
* Switch from a user to a role
* Switch roles (AWS CLI)
* Switch roles (Tools for Windows PowerShell)
* Switch roles (AWS API)
* Use roles for applications on Amazon EC2
* Use instance profiles
* Identity providers and federation
* Common scenarios
* OIDC federation
* Create OIDC identity provider
* Obtain the thumbprint for an OIDC provider
* SAML 2.0 federation
* Create SAML identity provider
* Configure relying party trust and claims
* Integrate third-party SAML solution providers with AWS
* Configure SAML assertions for the authentication response
* Enable SAML 2.0 federated users to access the AWS console
* View SAML response in browser
* Temporary security credentials
* Compare AWS STS credentials
* Service bearer tokens
* Request temporary security credentials
* Use temporary credentials with AWS resources
* Permissions for temporary security credentials
* Permissions for AssumeRole API operations
* Monitor and control actions taken with assumed roles
* Permissions for GetFederationToken
* Permissions for GetSessionToken
* Disabling permissions
* Granting permissions to create credentials
* Granting permissions to use identity-aware console sessions
* Manage AWS STS in an AWS Region
* AWS STS Regions and endpoints
* Enable custom identity broker console access
* Tags for IAM resources
* Tag IAM users
* Tag IAM roles
* Tag customer managed policies
* Tag OIDC identity providers
* Tag IAM SAML identity providers
* Tagging instance profiles
* Tag server certificates
* Tag virtual MFA devices
* Pass session tags
* Access management
* Policies and permissions
* Managed policies and inline policies
* Choose between managed or inline policies
* Convert inline policy to managed
* Deprecated AWS managed policies
* Data perimeters
* Permissions boundaries
* Identity vs resource
* Control access using policies
* Control access to IAM users and roles using tags
* Control access to AWS resources using tags
* Cross account resource access
* Forward access sessions
* Example policies
* AWS: Specific access during a date range
* AWS: Enable or disable AWS Regions
* AWS: Self-manage credentials with MFA (Security credentials)
* AWS: Specific access with MFA during a date range
* AWS: Self-manage credentials no MFA (Security credentials)
* AWS: Self-manage MFA device (Security credentials)
* AWS: Self-manage console password (Security credentials)
* AWS: Self-manage password, access keys, & SSH public keys (My
security credentials)
* AWS: Deny access based on requested Region
* AWS: Deny access based on source IP
* AWS: Deny access to Amazon S3 resources outside your account except
AWS Data Exchange
* Data Pipeline: Deny access to pipelines not created by user
* DynamoDB: Access specific table
* DynamoDB: Allow access to specific attributes
* DynamoDB: Allow item access based on a Amazon Cognito ID
* EC2: Attach or detach tagged EBS volumes
* EC2: Launch instances in a subnet (includes console)
* EC2: Manage security groups with the same tags (includes console)
* EC2: Start or stop instances a user has tagged (includes console)
* EC2: Start or stop instances based on tags
* EC2: Start or stop for matching tags
* EC2: Full access within a Region (includes console)
* EC2: Start or stop an instance, modify security group (includes
console)
* EC2: Requires MFA (GetSessionToken) for operations
* EC2: Limit terminating instances to IP range
* IAM: Access the policy simulator API
* IAM: Access the policy simulator console
* IAM: Assume tagged roles
* IAM: Allows and denies multiple services (includes console)
* IAM: Add specific tag to tagged user
* IAM: Add a specific tag
* IAM: Create only tagged users
* IAM: Generate credential reports
* IAM: Manage group membership (includes console)
* IAM: Manage a tag
* IAM: Pass a role to a service
* IAM: Read-only console access (no reporting)
* IAM: Read-only console access
* IAM: Specific users manage group (includes console)
* IAM: Setting account password requirements (includes console)
* IAM: Access the policy simulator API based on user path
* IAM: Access the policy simulator console based on user path
(includes console)
* IAM: MFA self-management
* IAM: Update credentials (includes console)
* IAM: View Organizations service last accessed information for a
policy
* IAM: Apply limited managed policies
* AWS: Deny access to resources outside your account except AWS
managed IAM policies
* Lambda: Service access to DynamoDB
* RDS: Full access within a Region
* RDS: Restore databases (includes console)
* RDS: Full access for tag owners
* S3: Access bucket if cognito
* S3: Access federated user home directory (includes console)
* S3: Full access with recent MFA
* S3: Access IAM user home directory (includes console)
* S3: Restrict management to a specific bucket
* S3: Read and write objects to a specific bucket
* S3: Read and write to a specific bucket (includes console)
* Manage IAM policies
* Create IAM policies
* Create IAM policies (console)
* Create IAM policies (CLI)
* Create IAM policies (API)
* Policy validation
* Policy testing
* Add or remove identity permissions
* Versioning IAM policies
* Edit IAM policies
* Edit IAM policies (console)
* Edit IAM policies (CLI)
* Edit IAM policies (API)
* Delete IAM policies
* Delete IAM policies (console)
* Delete IAM policies (AWS CLI)
* Delete IAM policies (AWS API)
* Refine permissions using access information
* View IAM access information
* View access information for Organizations
* Example scenarios
* Action last accessed services and actions
* Policy summaries
* Policy summary (list of services)
* View policy summaries
* Access levels in policy summaries
* Service summary (list of actions)
* View service summaries
* Action summary (list of resources)
* View action summaries
* Example policy summaries
* Permissions required to access IAM resources
* Example policies for IAM
* Code examples
* IAM
* Basics
* Hello IAM
* Learn the basics
* Actions
* AddClientIdToOpenIdConnectProvider
* AddRoleToInstanceProfile
* AddUserToGroup
* AttachGroupPolicy
* AttachRolePolicy
* AttachUserPolicy
* ChangePassword
* CreateAccessKey
* CreateAccountAlias
* CreateGroup
* CreateInstanceProfile
* CreateLoginProfile
* CreateOpenIdConnectProvider
* CreatePolicy
* CreatePolicyVersion
* CreateRole
* CreateSAMLProvider
* CreateServiceLinkedRole
* CreateUser
* CreateVirtualMfaDevice
* DeactivateMfaDevice
* DeleteAccessKey
* DeleteAccountAlias
* DeleteAccountPasswordPolicy
* DeleteGroup
* DeleteGroupPolicy
* DeleteInstanceProfile
* DeleteLoginProfile
* DeleteOpenIdConnectProvider
* DeletePolicy
* DeletePolicyVersion
* DeleteRole
* DeleteRolePermissionsBoundary
* DeleteRolePolicy
* DeleteSAMLProvider
* DeleteServerCertificate
* DeleteServiceLinkedRole
* DeleteSigningCertificate
* DeleteUser
* DeleteUserPermissionsBoundary
* DeleteUserPolicy
* DeleteVirtualMfaDevice
* DetachGroupPolicy
* DetachRolePolicy
* DetachUserPolicy
* EnableMfaDevice
* GenerateCredentialReport
* GenerateServiceLastAccessedDetails
* GetAccessKeyLastUsed
* GetAccountAuthorizationDetails
* GetAccountPasswordPolicy
* GetAccountSummary
* GetContextKeysForCustomPolicy
* GetContextKeysForPrincipalPolicy
* GetCredentialReport
* GetGroup
* GetGroupPolicy
* GetInstanceProfile
* GetLoginProfile
* GetOpenIdConnectProvider
* GetPolicy
* GetPolicyVersion
* GetRole
* GetRolePolicy
* GetSamlProvider
* GetServerCertificate
* GetServiceLastAccessedDetails
* GetServiceLastAccessedDetailsWithEntities
* GetServiceLinkedRoleDeletionStatus
* GetUser
* GetUserPolicy
* ListAccessKeys
* ListAccountAliases
* ListAttachedGroupPolicies
* ListAttachedRolePolicies
* ListAttachedUserPolicies
* ListEntitiesForPolicy
* ListGroupPolicies
* ListGroups
* ListGroupsForUser
* ListInstanceProfiles
* ListInstanceProfilesForRole
* ListMfaDevices
* ListOpenIdConnectProviders
* ListPolicies
* ListPolicyVersions
* ListRolePolicies
* ListRoleTags
* ListRoles
* ListSAMLProviders
* ListServerCertificates
* ListSigningCertificates
* ListUserPolicies
* ListUserTags
* ListUsers
* ListVirtualMfaDevices
* PutGroupPolicy
* PutRolePermissionsBoundary
* PutRolePolicy
* PutUserPermissionsBoundary
* PutUserPolicy
* RemoveClientIdFromOpenIdConnectProvider
* RemoveRoleFromInstanceProfile
* RemoveUserFromGroup
* ResyncMfaDevice
* SetDefaultPolicyVersion
* TagRole
* TagUser
* UntagRole
* UntagUser
* UpdateAccessKey
* UpdateAccountPasswordPolicy
* UpdateAssumeRolePolicy
* UpdateGroup
* UpdateLoginProfile
* UpdateOpenIdConnectProviderThumbprint
* UpdateRole
* UpdateRoleDescription
* UpdateSamlProvider
* UpdateServerCertificate
* UpdateSigningCertificate
* UpdateUser
* UploadServerCertificate
* UploadSigningCertificate
* Scenarios
* Build and manage a resilient service
* Create a group and add a user
* Create read-only and read-write users
* Manage access keys
* Manage policies
* Manage roles
* Manage your account
* Roll back a policy version
* Work with the IAM Policy Builder API
* AWS STS
* Basics
* Actions
* AssumeRole
* AssumeRoleWithWebIdentity
* DecodeAuthorizationMessage
* GetFederationToken
* GetSessionToken
* Scenarios
* Assume an IAM role that requires an MFA token
* Construct a URL for federated users
* Get a session token that requires an MFA token
* Security
* AWS security credentials
* Programmatic access
* AWS security audit guidelines
* Data protection
* Logging and monitoring
* Log events with CloudTrail
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* AWS managed policies
* Security features outside IAM
* IAM Access Analyzer
* Findings for external and unused access
* How findings work
* Getting started with IAM Access Analyzer findings
* Findings dashboard
* Review findings
* Filter findings
* Archive findings
* Resolve findings
* Supported resource types
* Delegated administrator
* Add a delegated administrator
* Delete analyzers
* Archive rules
* Monitoring with EventBridge
* Security Hub integration
* Logging with CloudTrail
* IAM Access Analyzer filter keys
* Using service-linked roles
* Preview access
* Previewing access in Amazon S3 console
* Previewing access with IAM Access Analyzer APIs
* Checks for validating policies
* Validate with basic policy checks
* Policy check reference
* Validate with custom policy checks
* IAM Access Analyzer policy generation
* IAM Access Analyzer policy generation services
* IAM Access Analyzer quotas
* Troubleshoot IAM
* Access denied error messages
* Root user issues
* IAM policies
* FIDO security keys
* IAM roles
* IAM and Amazon EC2
* IAM and Amazon S3
* SAML 2.0 federation
* How IAM works with other AWS services
* Create IAM resources with AWS CloudFormation
* Use AWS CloudShell with IAM
* Working with AWS SDKs
* Reference
* Identify AWS resources with Amazon Resource Names (ARNs)
* IAM identifiers
* IAM and AWS STS quotas
* Interface VPC endpoints
* Create a VPC endpoint for IAM
* Create a VPC endpoint for AWS STS
* Services that work with IAM
* AWS Signature Version 4
* SigV4 request elements
* Authentication methods
* Create a signed request
* Request signature examples
* Troubleshoot SigV4
* Policy reference
* JSON element reference
* Version
* Id
* Statement
* Sid
* Effect
* Principal
* NotPrincipal
* Action
* NotAction
* Resource
* NotResource
* Condition
* Condition operators
* Conditions with multiple context keys or values
* Single-valued vs. multivalued context keys
* Condition policy examples
* Multivalued context key examples
* Single-valued context key policy examples
* Variables and tags
* Supported data types
* Policy evaluation logic
* Cross-account policy evaluation logic
* Policy grammar
* AWS managed policies for job functions
* Creating roles and attaching policies (console)
* Global condition keys
* IAM condition keys
* Actions, resources, and condition keys
* Resources
* Making HTTP query requests
* Document history
Manage access keys for IAM users - AWS Identity and Access Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
MANAGE ACCESS KEYS FOR IAM USERS
PDFRSS
IMPORTANT
As a best practice, use temporary security credentials (such as IAM roles)
instead of creating long-term credentials like access keys. Before creating
access keys, review the alternatives to long-term access keys.
Access keys are long-term credentials for an IAM user or the AWS account root
user. You can use access keys to sign programmatic requests to the AWS CLI or
AWS API (directly or using the AWS SDK). For more information, see AWS Signature
Version 4 for API requests.
Access keys consist of two parts: an access key ID (for example,
AKIAIOSFODNN7EXAMPLE) and a secret access key (for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You must use both the access key ID
and secret access key together to authenticate your requests.
When you create an access key pair, save the access key ID and secret access key
in a secure location. The secret access key can be retrieved only at the time
you create it. If you lose your secret access key, you must delete the access
key and create a new one. For more instructions, see Update access keys.
You can have a maximum of two access keys per user.
IMPORTANT
Manage your access keys securely. Do not provide your access keys to
unauthorized parties, even to help find your account identifiers. By doing this,
you might give someone permanent access to your account.
The following topics detail management tasks associated with access keys.
TOPICS
* Permissions required to manage access keys
* How IAM users can manage their own access keys
* How an IAM administrator can manage IAM user access keys
* Update access keys
* Secure access keys
* Use IAM with Amazon Keyspaces (for Apache Cassandra)
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
How an IAM user changes their own password
Permissions required to manage access keys
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Permissions required to manage access keys
PREVIOUS TOPIC:
How an IAM user changes their own password
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE