2. 程式人生 > >Managing Access Keys for IAM Users

Managing Access Keys for IAM Users

阿新 發佈:2019-01-14

Managing Access Keys for IAM Users

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). For more information, see

Signing AWS API Requests in the Amazon Web Services General Reference.

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

Important

Do not provide your access keys to a third party, even to help find your canonical user ID. By doing this, you might give someone permanent access to your account.

As a best practice, use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account root user access keys. For more information, see Best Practices for Managing AWS Access Keys in the Amazon Web Services General Reference.

If you still need to use long-term access keys, you can create, modify, view, or rotate your access keys (access key IDs and secret access keys). You can have a maximum of two access keys. This allows you to rotate the active keys according to best practices.

When you create an access key pair, save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must delete the access key and create a new one. For more details, see Resetting Your Lost or Forgotten Passwords or Access Keys.

Permissions Required

To create access keys for your IAM user, you must have the permissions from the following policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ViewAddAccessKeysForUser",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:CreateAccessKey",
                "iam:ListAccessKeys"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "ListUsersInConsole",
            "Effect": "Allow",
            "Action": "iam:ListUsers",
            "Resource": "*"
        }
    ]
}

To rotate access keys for your IAM user, you must have the permissions from the following policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ManageAccessKeysForUser",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:UpdateAccessKey",
                "iam:GetUser",
                "iam:CreateAccessKey",
                "iam:ListAccessKeys"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "ListUsersInConsole",
            "Effect": "Allow",
            "Action": "iam:ListUsers",
            "Resource": "*"
        }
    ]
}

Managing Access Keys (Console)

You can use the AWS Management Console to manage an IAM user's access keys.

To create, modify, or delete an IAM user's access keys (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose access keys you want to manage, and then choose the Security credentials tab.

  4. In the Access keys section, do any of the following:

    • To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.

    • To disable an active access key, choose Make inactive.

    • To reenable an inactive access key, choose Make active.

    • To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.

To list the access keys for an IAM user (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the intended user, and then choose the Security credentials tab. The user's access keys and the status of each key is displayed.

    Note

    Only the user's access key ID is visible. The secret access key can only be retrieved when the key is created.

To list the access key IDs for multiple IAM users (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. If necessary, add the Access key ID column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( Settings icon ).

    2. In Manage columns, select Access key ID.

    3. Choose Close to return to the list of users.

  4. The Access key ID column shows each access key ID, followed by its state; for example, 23478207027842073230762374023 (Active) or 22093740239670237024843420327 (Inactive).

    You can use this information to view and copy the access keys for users with one or two access keys. The column displays None for users with no access key.

    Note

    Only the user's access key ID and status is visible. The secret access key can only be retrieved when the key is created.

To find which IAM user owns a specific access key (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. In the search box, type or paste the access key ID of the user you want to find.

  4. If necessary, add the Access key ID column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( Settings icon ).

    2. In Manage columns, select Access key ID.

    3. Choose Close to return to the list of users and confirm that the filtered user owns the specified access key.

Managing Access Keys (AWS CLI)

To manage an IAM user's access keys from the AWS CLI, run the following commands.

Managing Access Keys (AWS API)

To manage an IAM user's access keys from the AWS API, call the following operations.

Rotating Access Keys

As a security best practice, we recommend that you regularly rotate (change) IAM user access keys. If your administrator granted you the necessary permissions, you can rotate your own access keys.

Administrators, for details about granting your users permissions to rotate their own access keys, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys. You can also apply a password policy to your account to require that all of your IAM users periodically rotate their passwords. You can choose how often they must do so. For more information, see Setting an Account Password Policy for IAM Users.

Important

As a best practice, do not use your AWS account root user. If you use the AWS account root user credentials, we recommend that you also regularly rotate them. The account password policy does not apply to the root user credentials. IAM users cannot manage credentials for the AWS account root user, so you must use the root user credentials (not a user's) to change the root user credentials. Note that we recommend against using the root user for everyday work in AWS.

Rotating Access Keys (Console)

You can rotate access keys from the AWS Management Console.

To rotate access keys without interrupting your applications (console)

  1. While the first access key is still active, create a second access key.

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, choose Users.

    3. Choose the name of the intended user, and then choose the Security credentials tab.

    4. Choose Create access key and then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the .csv file, choose Close.

      The new access key is active by default. At this point, the user has two active access keys.

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if the Last used column value indicates that the old key has never been used, we recommend that you do not immediately delete the first access key. Instead, choose Make inactive to deactivate the first access key.

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can choose Make active to reenable the first access key. Then return to Step 3 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, choose Users.

    3. Choose the name of the intended user, and then choose the Security credentials tab.

    4. Locate the access key to delete and choose its X button at the far right of the row. Then choose Delete to confirm.

To determine when access keys need rotating (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. If necessary, add the Access key age column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( Settings icon ).

    2. In Manage columns, select Access key age.

    3. Choose Close to return to the list of users.

  4. The Access key age column shows the number of days since the oldest active access key was created. You can use this information to find users with access keys that need rotating. The column displays None for users with no access key.

Rotating Access Keys (AWS CLI)

You can rotate access keys from the AWS Command Line Interface.

To rotate access keys without interrupting your applications (AWS CLI)

  1. While the first access key is still active, create a second access key, which is active by default. Run the following command:

    • At this point, the user has two active access keys.

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use by using this command:

    One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:

For more information, see the following:

Rotating Access Keys (AWS API)

You can rotate access keys using the AWS API.

To rotate access keys without interrupting your applications (AWS API)

  1. While the first access key is still active, create a second access key, which is active by default. Call the following operation:

    • At this point, the user has two active access keys.

  2. Update all applications and tools to use the new access key.

  3. Determine whether the first access key is still in use by calling this operation:

    One approach is to wait several days and then check the old access key for any use before proceeding.

  4. Even if step Step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive calling this operation:

  5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.

  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key calling this operation:

For more information, see the following:

相關推薦

Managing Access Keys for IAM Users

Managing Access Keys for IAM Users

How to Rotate Access Keys for IAM Users

Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice beca

MYSQL: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

tar new ica host star init upd pass skip 1) /etc/init.d/mysqld stop2) mysqld_safe --skip-grant-tables &3) mysql -u root4) Setup new M

MySQL提示Access denied for user ''@'localhost'”的解決

bsp con sta class safe starting sin 改錯 pri 記得那時由於沒有網絡,把rootpassword改錯了寫成了: update user set password="122" where user="root"; 之後mysql就開始

ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'mysql'

centos 解決 ice 個數 oca 用戶 acc 登錄 use 在centos下安裝好了mysql,用root帳號連上mysql,然後創建一個數據庫,提示下圖錯誤:   提示:ERROR 1044 (42000): Access denied for user [e

mariadb mysql 報'Access denied for user 'root'@'localhost' (using password: NO)'錯誤的解決

min other oca rac none mysql oot com command C:\Program Files\MariaDB 10.2\bin>mysql admin -u root password "x123456789" mysql Ver

Access denied for user 'Administrator'@'localhost' (using password: YES)

pro 方式 chan bsp user mini hold 文件中 rri 在Spring容器中通過配置 <context:property-placeholder location="classpath:/jdbc.properties"/> 調用prope

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

註釋 .cn tables table 數據 mysql數據庫 using ice 登錄 解決: (1)修改my.cnf中[mysqld]中增加skip-grant-tables (2)重啟mysql數據庫:service mysqld restart (3)無密碼登錄my

使用SVN時 URL access forbidden for unknown reason

failed 們的 方法 document acc tail 更新 face ces 使用SVN在eclipse中提交文件,但是出現錯誤,如下: URL access forbidden for unknown reasonsvn: Commit failed (deta

安裝mysql後連接出錯(錯誤:Access denied for user 'root'@'localhost' (using password: YES)")的解決辦法

access 設置 lec 提示 回車 eight png varchar oot   前幾天下載了mysql5.7正常安裝後,用navicat for mysql連接時提示“Access denied for user [email protec

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

mage ron 打開 技術分享 -1 密碼 logs erro password ERROR 1045 (28000): Access denied for user ‘root‘@‘localhost‘ (using password: NO) 問題: 解

PL/SQL Developer登錄出現——Using a filter for all users can lead to poor performance!

objects default devel http mage eve 配置 tool cnblogs 用PL/SQL Developer登錄Oracle時提示:Using a filter for all users can lead to poor performan

Access denied for user 'root'@'localhost' (using password:YES)解決方法

ready del flush ring oca htm nbsp 使用 用戶 Access denied for user ‘root‘@‘localhost‘ (using password:YES)解決方法   在MySQL的使用過程中,我們可能會碰到“

mysql登錄報錯“Access denied for user 'root'@'localhost' (using password: YES”的處理方法

為我 方法 error: top error 告訴 猜想 network grant 最近登錄某臺服務器的mysql時候總報錯: Access[root@log01 ~]# mysql -u root -p Enter password: ERROR 1045 (2800

ERROR 1045 (28000): Access denied for user 'root'@'localhost'

plain set tables mys res div ror localhost number #1.停止mysql數據庫 /etc/init.d/mysqld stop #2.執行如下命令 mysqld_safe --user=mysql --skip-grant

新手PHP連接MySQL數據庫出問題(Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES))

admin 提示 文件 無法 sin for serve 方法 onf 我用的環境是wampServer集成的軟件包 在php連接MySQL數據庫的時候老是出現這個問題Warning: mysqli_connect(): (HY000/1045): Access denie

Windows下重置MySQL密碼(最開始是因為Access denied for user 'root'@'localhost'這個原因,無法登陸 'root'@'localhost')

root 分享圖片 font 任務管理器 nts 技術分享 date 沒有 for 本人使用的MySQL5.5,其他版本未測試過。 1. 進入命令行窗口,停止MySQL服務 net stop mysql 2. 輸入mysqld --skip-grant-tab

MYSQL問題解決方案:Access denied for user 'root'@'localhost' (using password:YES)

program 重啟 user 輸入 update tables 令行 mda 連接 這兩天在MyEclipse中開發Web項目時,連接MYSQL數據庫,出現問題:Access denied for user ‘root‘@‘localhost‘ (using passwo

解決Access denied for user ''@'localhost' to database 'mysql'

tab -s leg ron error for start bsp rom 在centos下安裝好了mysql,用root帳號連上mysql,然後創建一個數據庫,提示下圖錯誤:   提示:ERROR 1044 (42000): Access denied for u

連接MySQL數據庫出現錯誤:Access denied for user 'root'@'localhost' (using password:YES)

回車 發現 using 命令行 denied sql數據庫 roo 成功 host   自己在重拾MySQL數據庫的時候,第一次連接數據庫時候出現Access denied for user ‘root‘@‘localhost‘ (using password:YES)的錯