IAM users can create access keys, which serve as long-term credentials for CLI login / AWS API access. This way, CLI-only IAM users don’t actually need a login password, and API access can be configured without a password. IAM access keys can be revoked at any time if a compromise happened.

Access Keys or SSO?

You don’t always need long-term access keys. If you want to have a personal IAM user, it might be more appropriate to use IAM Identity Center (formerly SSO). For example, after setting up your IAM IC user, you can use aws configure sso to login via SSO on AWS CLI. If the login session has expired, simply use aws sso login --profile=<your-profile>. You can also set up third-party SSO access (GitHub) via OIDC roles.

Quotas

An IAM user can have 0-2 access keys. An access key can be active or inactive, but they all contribute to the quota.

Key Structure

  • Access key ID: all uppercase (?) + numeric
    • akin to username
  • Secret access key: mixed case + numeric + with symbol
    • akin to password

To create an access key

  • Navigate to IAM Dashboard Access Key
  • Choose Purpose
  • Give it a name
  • Download or copy key