Creating AWS Access Keys for IAM and IAM Identity Center Users

Introduction

This document outlines the procedures for creating AWS Access Keys for both IAM users and IAM Identity Center (Federated) Users. These credentials are used for programmatic access to AWS services, enabling applications and tools to interact with AWS resources.

Creating Access Keys for IAM Users

1. Log in to the AWS Management Console

   • Log in to the AWS Management Console using an account with sufficient permissions to manage IAM users.

2. Navigate to the IAM Service

   • Search for and select "IAM" from the AWS services list.

3. Select Users

   • In the IAM dashboard, select "Users" from the left navigation pane.

4. Choose the IAM User

   • Select the IAM user for whom you want to create access keys.

5. Go to the Security Credentials Tab

   • Click on the "Security credentials" tab.

6. Create Access Key

   • In the "Access keys" section, click "Create access key."

   • Choose the use case for the key. For automated access choose "Command Line Interface (CLI)".

   • Click "Next" then "Create access key".

7. Store the Access Key and Secret Key

   • A dialog box will display the Access Key ID and Secret Access Key.

   • Important: Download the .csv file or copy the keys and store them in a secure location. The Secret Access Key is only displayed once and cannot be retrieved later.

   • Click "Done".

Obtaining Access Keys for AWS IAM Identity Center Users

AWS IAM Identity Center (formerly AWS SSO) allows users to access multiple AWS accounts and applications with a single set of credentials. Here's how to obtain temporary credentials for IAM Identity Center users.

Go to AWS access portal of your AWS organization and follow any of the following option for temporary authentication.

• Option 1: Using AWS CLI

  • To extend the duration of your credentials, it is recommended to configure the AWS CLI to retrieve them automatically using the aws configure sso command.

  • After running the command, you have to follow these steps:

    1. Give SSO start URL

    2. Give SSO Region

    3. SSO authorization page will pop up in the default browser window. If you're in a server then go to the given URL in your browser and enter the code.

    4. Select the AWS account you want to use.

    5. Specify default region.

    6. Specify output format

    7. Specify profile name

  • Use aws sso login --profile <PROFILE_NAME> command when session token expires, and you need to login again.

• Option 2: Set AWS environment variables

  • Export Access Keys as shells environment variables.

    export AWS_ACCESS_KEY_ID="YOUR_AWS_ACCESS_KEY_ID"
    export AWS_SECRET_ACCESS_KEY="YOUR_AWS_SECRET_ACCESS_KEY"
    export AWS_SESSION_TOKEN="YOUR_AWS_SESSION_TOKEN"

• Option 3: Add a profile to your AWS credentials file

  • Copy and paste Access Keys in your AWS credentials file (~/.aws/credentials).

    [PROFILE_NAME]
    aws_access_key_id=YOUR_AWS_ACCESS_KEY_ID
    aws_secret_access_key=YOUR_AWS_SECRET_ACCESS_KEY
    aws_session_token=YOUR_AWS_SESSION_TOKEN

• To use this profile, specify the profile name using --profile

    aws s3 ls --profile <PROFILE_NAME>

• Option 4: Use individual values in your AWS service client

  • Copy and paste Access Keys in your code.

Conclusion

Though getting access keys of IAM user is pretty straight forward, there is a risk of the secrets getting leaked, thus need to rotate regularly. On the other hand, getting access keys of IAM Identity Center user is cumbersome, but it adds security as the credentials are temporary.