How to generate AWS access keys

Key takeaways:

  • AWS access keys enable secure programmatic access to AWS services via the CLI and SDK.

  • For security, always generate access keys for IAM users, and not the root user.

  • Regularly rotate and monitor access keys using AWS CloudTrail and CloudWatch to prevent unauthorized access.

  • Prefer IAM roles over access keys for AWS services like EC2, Lambda, and others to reduce credential management risks.

In this Answer, we’ll go over how we can generate AWS access keys for programmatic access to the AWS Cloud using AWS IAM. AWS Identity and Access Management (IAM) is a service provided by AWS to control access to AWS resources and services. With IAM, we can specify which users can access the services and resources.

Note: To progress with this Answer, you must have a working AWS account with the required IAM permissions.

What are IAM and root users?

Before we learn about access keys, we first need to understand what IAM users and root users are. The access keys will be generated for these user types. The root user is created when we sign up for an AWS account. The root user also has root access. In contrast, IAM users are AWS account entities representing individual people or services. Unlike the root user, IAM users can have specific permissions assigned to them, allowing us to follow the principle of least privilege by granting only the necessary permissions for their tasks.

AWS access keys can be generated against both of these user types. But in the context of this Answer, we’ll only generate access keys for a new IAM user that we’ll create with limited permissions. This way, we can safely and securely learn to use these access keys. Also, note that we can attach at most two access key pairs to each user.

What are AWS access keys?

AWS access keys are AWS credentials that consist of an access key ID and a secret access key. These keys securely sign API requests to AWS services, allowing programmatic access to various AWS resources through the AWS CLI or the AWS SDK.

Here’s an overview of the components of AWS access keys:

  • AWS access key ID: The access key ID is a publicly accessible identifier used to identify the source of AWS API requests. It is often included in API requests to identify the IAM user or the AWS service making the request.

  • AWS secret access key: The secret access key is a confidential key used to sign requests made to AWS services. It should be kept confidential and not shared. The secret access key is used in combination with the access key ID to sign requests, providing a secure way to authenticate the source of the requests.

Note: The AWS secret access key is only available for copying or downloading when we generate an AWS access key pair. If we lose our AWS secret access key, we must create a new one.

Safety precautions

AWS access keys are considered long-term credentials for an IAM user, and AWS recommends using short-term credentials, like an IAM role AWS IAM roles are AWS identities with an IAM policy specifying their access within the AWS account. Different entities, including most AWS services and resources like IAM users, can assume a role, giving them temporary credentials to access resources and perform actions in AWS based on the policies attached to the role., when possible. However, in case we still want to generate access keys for a use case that requires programmatic access, we must take the following precautions:

  • Never share secret access keys: The secret access key should be treated like a password and never be shared or hard-coded in any application code.

  • Rotate access keys regularly: Rotating access keys periodically is a good security practice. AWS provides mechanisms to rotate access keys without disrupting services.

  • Use IAM roles: Instead of using access keys directly, consider using IAM roles, especially for applications running on Amazon EC2 instances, Lambda functions, or other AWS services. IAM roles eliminate the need to manage access keys directly and enhance security.

  • Monitor and audit access: Regularly review and audit the usage of access keys. AWS provides tools like AWS CloudTrail for monitoring and logging AWS API activity.

Create an IAM user

To create an IAM user on the AWS Management Console, follow these steps:

  • Sign in with your AWS account on the AWS Management Consolehttps://console.aws.amazon.com/console/home.

  • Search for “IAM” in the search bar and select the “IAM” service.

  • Click “Users” under “Access management” from the AWS sidebar.

  • Click the “Create user” button.

  • Enter temporary-iam-user under “User name” to set the new IAM username.

  • Leave all other settings at their default setting and click the “Next” button.

  • Select the “Attach policies directly” option.

  • Under the “Permissions policies” section, search for the “IAMReadOnlyAccess” policy.

  • Select the “IAMReadOnlyAccess” policy and click the “Next” button.

  • Review the settings and click the “Create user” button.

Note: The AWS-managed IAMReadOnlyAccess policy will only provide read-only access to the temporary-iam-user IAM user for the IAM dashboard.

Generate access keys for the IAM user

To generate AWS credentials for the newly created IAM user, follow these steps:

  • Search for “IAM” in the search bar and click the “IAM” service.

  • Search for the temporary-iam-user user under the “Users” list.

  • Click temporary-iam-user in the search results to open its dashboard.

  • Click and open the “Security credentials” tab.

  • Scroll to the “Access keys” section and click the “Create access key” button.

  • On the “Access key best practices & alternatives” step, perform these actions:

    • Select the “Command Line Interface (CLI)” option.

    • Enable the “I understand the above recommendation and want to proceed to create an access key” confirmation check box and click the “Next” button.

  • On the “Set description tag” step, click the “Create access key” button.

  • Your newly generated AWS credentials will be displayed on the “Retrieve access keys” step. Save the “Access key” and “Secret access key” values somewhere safe, as you won’t have access to them later.

Access the AWS Cloud via the AWS CLI

Now that we’ve generated our AWS access keys, let’s test how to use them on the AWS CLI to connect to the AWS Cloud.

Accessing the AWS Cloud via the AWS CLI
Accessing the AWS Cloud via the AWS CLI

To authenticate ourselves through the AWS CLI, we must first execute the following command to configure and set up the AWS CLI.

aws configure

Let’s execute the command above in the terminal below. After executing the command, make sure to enter your AWS account’s access keys to the “AWS Access Key ID” and “AWS Secret Access Key” prompts. For the “Default region name” prompt, enter us-east-1 as the default region or specify any other AWS region of your choice. Leave the “Default output format” prompt as empty and proceed.

Terminal 1
Terminal
Loading...

Once the AWS CLI has been configured, execute the following command to get the details about the temporary-iam-user IAM user whose AWS access key pair we’ve used to authenticate ourselves through the AWS CLI.

aws sts get-caller-identity

In response, we should get the IAM user’s ID, the AWS Account ID, and the ARN of the IAM user. This response would also confirm that our AWS access keys are working.

Clean up

Before concluding, we need to clean up any resources we created to learn about generating access keys. This would help prevent any misuse in case these access keys get compromised, especially considering we no longer require the temporary-iam-user IAM user. To delete the temporary-iam-user IAM user we created, follow these steps:

  • Navigate to the IAM console by searching for “IAM” in the search bar.

  • Click “Users” from the sidebar.

  • Search for and select the temporary-iam-user user that we previously created.

  • Click the “Delete” button.

  • In the confirmation pop-up, enter temporary-iam-user and click the “Delete” button to permanently delete the user and all its credentials.

Want to learn AWS services? Start your journey with "Learn the A to Z of Amazon Web Services (AWS)"! This beginner-friendly course is the ultimate guide to understanding AWS cloud services. Enroll now and take the first step towards mastering the cloud!

Frequently asked questions

Haven’t found what you were looking for? Contact Us


Is the AWS access key free?

Yes, creating an AWS access key is free. However, any API request made to the AWS-managed keys is charged.


What is the AWS access key expiration?

The AWS access keys are long-term credentials that do not expire. You must follow the security best practices to protect them and prevent potential loss.


Where can I find my AWS access key ID?

The AWS Access Key ID can be found in the “Access Key ID” column by selecting the user in the navigation pane in the AWS Management Console.


Free Resources

Copyright ©2024 Educative, Inc. All rights reserved