Manage access keys for IAM users
Important
As a best practice, use temporary security credentials (such as IAM roles) instead of creating long-term credentials like access keys. Before creating access keys, review the alternatives to long-term access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). For more information, see AWS Signature Version 4 for API requests.
Access keys consist of two parts: an access key ID (for example,
AKIAIOSFODNN7EXAMPLE
) and a secret access key (for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
). You must use both the access key ID and secret access
key together to authenticate your requests.
When you create an access key pair, save the access key ID and secret access key in a secure location. The secret access key can be retrieved only at the time you create it. If you lose your secret access key, you must delete the access key and create a new one. For more instructions, see Update access keys.
You can have a maximum of two access keys per user.
Important
Manage your access keys securely. Do not provide your access keys to unauthorized parties, even to help find your account identifiers. By doing this, you might give someone permanent access to your account.
It is possible to use access key and secret key credentials for
direct AWS Management Console access, not just the AWS CLI. This can be achieved using the AWS STS
GetFederationToken
API call. By constructing a console URL using the temporary
credentials and token provided by GetFederationToken
, IAM principals can access
the console. For more information, see Enable custom identity broker
access to the AWS console.
The following topics detail management tasks associated with access keys.