Get Access Key ID and Secret Access Key for AWS

avatar

Borislav Hadzhiev

Mon Sep 27 20215 min read

Table of Contents #

  1. Get Access Key ID and Secret Access Key for Root Account
  2. Get Access Key ID and Secret Access Key for an IAM Account
  3. Deactivating and Deleting your AWS Security Credentials

Get Access Key ID and Secret Access Key for AWS #

The Access key ID and Secret Access key values are the security credentials AWS uses to verify your identity and grant or deny you access to specific resources.

In an AWS account you have:

  • Root account Access Keys - they grant permissions to perform any action on any resource in the account
  • IAM user Access Keys - they only allow actions that are explicitly allowed in the user's IAM policies

This article shows how to:

  • generate security credentials for your Root AWS account
  • generate security credentials for your IAM AWS accounts
  • deactivate your security credentials if they get exposed

Get Access Key ID and Secret Access Key for Root Account #

Before you generate an Access Key Id and Secret access key for your root account be aware that these keys grant permissions to perform any action on all resources in your account.

If they get exposed, e.g. uploaded to a public GitHub repository, your account is compromised and you have to deactivate and delete the credentials immediately.

In order get an Access Key ID and Secret Access Key for your Root AWS account:

  1. Open the AWS console and make sure you are logged in with your root username and password
  2. In the navigation bar, click on your username and select My Security Credentials

my security credentials button

  1. In the AWS IAM credentials tab scroll down to the Access keys section and click on the Create access key button

create access key button

  1. Make sure to download the file with your access keys. The Secret Access key can be retrieved only upon creation
  2. If your account already has credentials, which you are not using or don't have access to, it's best to deactivate and delete them

delete unused credentials root

Once you close the screen that shows your Access Key ID and Secret Access Key, you will not be able to retrieve the Secret access key value again.
The solution is to delete the old credentials, generate new ones and save the file on your local file system.

Get Access Key ID and Secret Access Key for an IAM Account #

Using credentials associated with an IAM account is the recommended way to access AWS resources, because you can control the permissions of an IAM user, whereas the root account permits any action on all resources in the account.

In order to get an Access Key ID and Secret Access Key for an IAM AWS account:

  1. Open the IAM console
  2. In the sidebar click on Usersclick users
  3. If you have an existing user you would like to generate credentials for, click on the users name.
If you don't have an existing user scroll down to step 6.
  1. Click on the Security Credentials tab, scroll down to the Access keys section and click on Create access key

create access key iam user

  1. Download the file with the Access key id and Secret access key. Note that the Secret Access Key can only be retrieved at the moment of creation.

  2. If you don't have an IAM user you have to create one. Click on the Add users button.

  3. On the user creation page:

  • give your user a name
  • check the Access key - Programmatic access checkbox - it enables creation of Access Key ID and Secret Access Key for the user
  • if your IAM user will be used to log into the AWS console, you need to give them a password, check the Password - AWS Management Console access and set a password for the user

enable programmatic access

  1. Click on the Next: Permissions button. This is the step when you have to decide what your IAM user is allowed to do. Often IAM users are used as replacement for the Root AWS account and need administrative permissions.
The permissions for your user are use case dependent, in my case I'll attach an AdministratorAccess policy to the user, which grants less permissions that the root account, but still enables you to work with all services.
  1. To attach the AdministratorAccess policy, click on Attach existing policies directly and filter for AdministratorAccess in the search field.

attach administrator access

  1. Click on Next: Tags, then click on Next: Review and finally click on Create user

  2. The user's Access Key ID and Secret access key will be shown on the screen. Make sure to download the file with the credentials, because the Secret access key is only shown this one time

download credentials

Make sure to never share your AWS Access Key ID and Secret Access key with anybody you don't trust. Always set your credentials as environment variables when used in application code and never upload your credentials to public repositories.

Deactivating and Deleting your AWS Security Credentials #

If your credentials get exposed, for instance you upload them to a remote repository with public access, you have to immediately deactivate and delete them.

If another person has access to your AWS Access Key ID and Secret Access Key, they can provision resources in your account and get you a massive bill, e.g. for bitcoin mining.

To deactivate and delete your AWS Security Credentials:

  1. Open the IAM console
  2. Click on the affected user
  3. Click on Security Credentials and scroll down to the Access keys section

deactivate delete credentials

  1. Click on Make inactive to deactivate your credentials and then delete them

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee