Get Access Key ID and Secret Access Key for AWS
Last updated: Sep 27, 2021
Reading time·5 min
# Table of Contents
- Get Access Key ID and Secret Access Key for Root Account
- Get Access Key ID and Secret Access Key for an IAM Account
- Deactivating and Deleting your AWS Security Credentials
# Get Access Key ID and Secret Access Key for AWS
The Access key ID and Secret Access key values are the security credentials AWS uses to verify your identity and grant or deny you access to specific resources.
In an AWS account, you have:
- Root account Access Keys - they grant permissions to perform any action on any resource in the account
- IAM user Access Keys - they only allow actions that are explicitly allowed in the user's IAM policies
This article shows how to:
- generate security credentials for your
Root AWS account - generate security credentials for your
IAM AWS accounts - deactivate your security credentials if they get exposed
# Get Access Key ID and Secret Access Key for Root Account
Access Key Id and Secret access key for your root account be aware that these keys grant permissions to perform any action on all resources in your account.If they get exposed, e.g. uploaded to a public GitHub repository, your account is compromised and you have to deactivate and delete the credentials immediately.
In order to get an Access Key ID and Secret Access Key for your Root AWS account:
- Open the AWS console and make sure you are logged in with your root username and password
- In the navigation bar, click on your username and select
My Security Credentials
- In the
AWS IAM credentialstab scroll down to theAccess keyssection and click on theCreate access keybutton
- Make sure to download the file with your access keys. The Secret Access key can be retrieved only upon creation
- If your account already has credentials that you aren't using or don't have access to, it's best to deactivate and delete them
Access Key ID and Secret Access Key, you will not be able to retrieve the Secret access key value again.The solution is to delete the old credentials, generate new ones and save the file on your local file system.
# Get Access Key ID and Secret Access Key for an IAM Account
Using credentials associated with an IAM account is the recommended way to access AWS resources because you can control the permissions of an IAM user, whereas the root account permits any action on all resources in the account.
In order to get an Access Key ID and Secret Access Key for an IAM AWS account:
- Open the IAM console
- In the sidebar click on
Users
- If you have an existing user you would like to generate credentials for, click on the user's name.
- Click on the
Security Credentialstab, scroll down to theAccess keyssection and click onCreate access key
Download the file with the Access key id and Secret access key. Note that the Secret Access Key can only be retrieved at the moment of creation.
If you don't have an IAM user you have to create one. Click on the
Add usersbutton.On the user creation page:
- give your user a name
- check the
Access key - Programmatic accesscheckbox - it enables the creation of Access Key ID and Secret Access Key for the user - if your IAM user will be used to log into the AWS console, you need to give
them a password, check the
Password - AWS Management Console accessand set a password for the user
- Click on the
Next: Permissionsbutton. This is the step when you have to decide what your IAM user is allowed to do. Often IAM users are used as replacement for the Root AWS account and need administrative permissions.
AdministratorAccess policy to the user, which grants less permissions that the root account, but still enables you to work with all services.- To attach the
AdministratorAccesspolicy, click onAttach existing policies directlyand filter forAdministratorAccessin the search field.
Click on
Next: Tags, then click onNext: Reviewand finally click onCreate userThe user's Access Key ID and Secret access key will be shown on the screen. Make sure to download the file with the credentials because the Secret access key is only shown this one time
# Deactivating and Deleting your AWS Security Credentials
If your credentials get exposed, for instance, you upload them to a remote repository with public access, you have to immediately deactivate and delete them.
If another person has access to your AWS Access Key ID and Secret Access Key, they can provision resources in your account and get you a massive bill, e.g. for bitcoin mining.
To deactivate and delete your AWS Security Credentials:
- Open the IAM console
- Click on the affected user
- Click on
Security Credentialsand scroll down to theAccess keyssection
- Click on
Make inactiveto deactivate your credentials and then delete them
# Additional Resources
You can learn more about the related topics by checking out the following tutorials:
- How to Get your Account Id with AWS CLI
- How to Get your Default Profile with AWS CLI
- Manage Multiple Accounts with the AWS CLI
- Set your Default Profile's Name in AWS CLI
- How to Clear your AWS CLI Credentials
- View your AWS CLI logs in Real Time (tail)
- How to turn off the Pager in AWS CLI
- Create a Role with AWS CLI - Complete Guide
- Create a Lambda Function with AWS CLI - Complete Guide
- Invoke Lambda Functions with AWS CLI - Complete Guide
- Tag an S3 Bucket with AWS CLI
- AWS CDK Tutorial for Beginners - Step-by-Step Guide
- How to use Parameters in AWS CDK
- The AWS Access Key Id does not exist in our records
