IAM users can create access keys, which serve as long-term credentials for CLI login / AWS API access. This way, CLI-only IAM users don’t actually need a login password, and API access can be configured without a password. IAM access keys can be revoked at any time if a compromise happened.
Access Keys or SSO?
You don’t always need long-term access keys. If you want to have a personal IAM user, it might be more appropriate to use IAM Identity Center (formerly SSO). For example, after setting up your IAM IC user, you can use
aws configure sso
to login via SSO on AWS CLI. If the login session has expired, simply useaws sso login --profile=<your-profile>
. You can also set up third-party SSO access (GitHub) via OIDC roles.
Quotas
An IAM user can have 0-2 access keys. An access key can be active or inactive, but they all contribute to the quota.
Key Structure
- Access key ID: all uppercase (?) + numeric
- akin to username
- Secret access key: mixed case + numeric + with symbol
- akin to password
To create an access key
- Navigate to IAM Dashboard → Access Key
- Choose Purpose
- Give it a name
- Download or copy key