How to create and rotate IAM user access keys
Topic: Accounts access
Summary
Create IAM user access keys for CLI and API use, rotate them on a schedule, and deactivate or delete old keys. Use this for human or script access that cannot use IAM roles; prefer roles for applications.
Intent: How-to
Quick answer
- Create a new access key in IAM → Users → user → Security credentials; store the secret only once and use it in environment variables or a secure credential store.
- Rotate by creating a second key, switching workloads to it, then deactivating and deleting the old key; never have more than two active keys per user.
- Set a rotation schedule (e.g. 90 days) and treat keys as sensitive; revoke immediately if leaked (see revoke and find-leaked guides).
Prerequisites
Steps
-
Create an access key for the IAM user
In IAM → Users → user → Security credentials, create access key (use case CLI or application); save the secret access key once—it cannot be retrieved again.
-
Store and use the key securely
Configure AWS CLI with aws configure or environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY); for applications use a secrets manager or secure config, never commit keys to code.
-
Rotate the key
Create a new access key, update all consumers to use it, verify they work, then deactivate and delete the old key; repeat on a schedule (e.g. every 90 days).
-
Verify and audit
Confirm only one or two active keys per user; use list-access-keys and get-access-key-last-used to find unused or old keys for removal.
Summary
You will create IAM user access keys for programmatic access, store them securely, and rotate them on a schedule. Use this when humans or scripts need long-lived credentials; for applications, prefer IAM roles (see migration guide) and use keys only when necessary.
Prerequisites
- IAM user exists with the correct managed policies (see How to create an IAM user with least privilege and How to attach managed policies to an IAM user).
- You have permission to create and delete access keys for the user (iam:CreateAccessKey, iam:DeleteAccessKey).
Steps
Step 1: Create an access key for the IAM user
Console: IAM → Users → select user → Security credentials → Access keys → Create access key. Choose Command Line Interface (CLI) or Application running outside AWS as needed. Download or copy the secret key once; it cannot be retrieved later.
CLI:
aws iam create-access-key --user-name deploy-prodSave the AccessKeyId and SecretAccessKey securely. You can have at most two active access keys per user.
Step 2: Store and use the key securely
- CLI: Run
aws configureand enter the access key and secret (or setAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYin the environment). Prefer named profiles and avoid default profile for production. - Applications: Use a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault) or secure config; never hardcode or commit keys. Prefer IAM roles for EC2, Lambda, ECS, etc. (see How to migrate from access keys to IAM roles).
Step 3: Rotate the key
- Create a new access key for the user (Step 1). Do not delete the old key yet.
- Update every system that uses the old key (CLI config, CI, apps) to use the new key. Test that they work.
- Deactivate the old key:
aws iam update-access-key --user-name deploy-prod --access-key-id AKIA... --status Inactive - After confirming no use of the old key, delete it:
aws iam delete-access-key --user-name deploy-prod --access-key-id AKIA... - Repeat on a schedule (e.g. every 90 days). See How to rotate access keys used by applications for app-specific rotation.
Step 4: Verify and audit
aws iam list-access-keys --user-name deploy-prod
aws iam get-access-key-last-used --access-key-id AKIA...Ensure no more than two active keys per user; remove or rotate keys that have not been used recently or are past your rotation window.
Verification
- New key works for the intended use (e.g.
aws sts get-caller-identityor the application’s API calls). - Old key is deactivated and then deleted; only one or two active keys remain.
- Keys are not stored in source code or public config; rotation is documented and scheduled.
Troubleshooting
Secret key lost — You cannot retrieve it. Create a new access key and rotate (create new → switch → delete old). Update all consumers to the new key.
Access denied after rotation — Confirm the new key is Active and the user’s policies are unchanged. Check for permission boundaries or SCPs that might deny the action.
Application still using old key — Find all references (config, env, secrets manager), update to the new key, then deactivate the old key and monitor for errors before deleting.