# Service-specific credentials for IAM users Service-specific credentials Service-specific credentials are specialized authentication mechanisms designed for specific Amazon services. These credentials provide simplified authentication compared to standard Amazon credentials, and are tailored to the authentication requirements of individual Amazon services. Unlike access keys, which can be used across multiple Amazon services, service-specific credentials are designed for use with only the service for which they were created. This targeted approach enhances security by limiting the scope of the credentials. Service-specific credentials typically consist of a user name and password pair or specialized API keys that are formatted according to the requirements of the specific service. When you create service-specific credentials, they are active by default and can be used immediately. You can have a maximum of two sets of service-specific credentials for each supported service per IAM user. This limit allows you to maintain one active set while rotating to a new set when needed. Amazon currently supports service-specific credentials for the following services: ## When to use service-specific credentials Service-specific credentials are intended for compatibility with third-party libraries, SDKs, tools, or applications that are not natively compatible with Amazon credentials, Amazon SDKs, or Amazon APIs. Such use cases include migrating to Amazon services from self-hosted infrastructure or from services hosted by other providers. When starting from scratch, and wherever possible, we recommend that you use Amazon temporary credentials, such as those provided by an IAM role, to authenticate with an Amazon service using an Amazon SDK or a library that supports Amazon temporary credentials. ## Rotating service-specific credentials As a security best practice, rotate service-specific credentials regularly. To rotate credentials without disrupting your applications: 1. Create a second set of service-specific credentials for the same service and IAM user 1. Update all applications to use the new credentials and verify they work correctly 1. Change the status of the original credentials to "Inactive" 1. Verify that all applications are still functioning properly 1. Delete the inactive service-specific credentials when you're confident they're no longer needed ## Monitoring service-specific credentials You can use Amazon CloudTrail to monitor the use of service-specific credentials in your Amazon account. To view CloudTrail events related to service-specific credential usage, review the CloudTrail logs for events from the service where the credentials are used. For more information, see [Logging IAM and Amazon STS API calls with Amazon CloudTrail](cloudtrail-integration.md). For additional security, consider setting up CloudWatch alarms to notify you of specific credential usage patterns that might indicate unauthorized access or other security concerns. For more information, see [Monitoring CloudTrail Log Files with Amazon CloudWatch Logs](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html) in the *Amazon CloudTrail User Guide*. The following topics provide information about service-specific credentials. **Topics** + [ ## When to use service-specific credentials ](#id_credentials_service-specific-creds-usecase) + [ ## Rotating service-specific credentials ](#id_credentials_service-specific-creds-rotation) + [ ## Monitoring service-specific credentials ](#id_credentials_service-specific-creds-monitoring) + [ # API keys for Amazon services ](id_credentials_api_keys_for_aws_services.md) + [ # Use IAM with Amazon Keyspaces (for Apache Cassandra) ](id_credentials_keyspaces.md) # API keys for Amazon services API keys for Amazon services You can access Amazon services through the Amazon Web Services Management Console and programmatically using the Amazon CLI or Amazon API. When making programmatic requests to services like Amazon Bedrock and Amazon CloudWatch Logs, you can authenticate using IAM credentials (for example, temporary security credentials or long-term access keys) or API keys. There are two types of API keys: + **Long-term API keys** – Long-term API keys are associated with an IAM user and generated using IAM [service-specific credentials](id_credentials_service-specific-creds.md). These credentials are designed for use with only a single Amazon service, enhancing security by limiting credential scope. You can set an expiration time for the long-term API key. You can use the IAM or service-specific console (for example, Amazon Bedrock or CloudWatch Logs console), the Amazon CLI, or Amazon API to generate long-term API keys. + **Short-term API keys** (only supported by Amazon Bedrock) – A short-term API key is a pre-signed URL that uses Amazon Signature Version 4. Short-term API keys share the same permissions and expiration as the credentials of the identity that generates the API key and are valid for up to 12 hours or the remaining time of your console session, whichever is shorter. You can use the Amazon Bedrock console, Python package `aws-bedrock-token-generator`, and packages for other programming languages to generate short-term API keys. For more information, see [Generate Amazon Bedrock API keys for easy access to the Amazon Bedrock API](https://docs.amazonaws.cn/bedrock/latest/userguide/api-keys.html) in the *Amazon Bedrock User Guide*. **Note** Long-term API keys have a higher security risk compared to short-term API keys. We recommend using short-term API keys or temporary security credentials when possible. If you use long-term API keys, we recommend implementing regular key rotation practices. ## Supported services The following table lists the Amazon services that support API keys and the type of API key each service supports. | \$1 | Service | Long-term API keys | Short-term API keys | Managed policy auto-attached | | --- | --- | --- | --- | --- | | 1 | Amazon Bedrock | Yes | Yes | [AmazonBedrockLimitedAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonBedrockLimitedAccess.html) | | 2 | Amazon CloudWatch Logs | Yes | N/A | [CloudWatchLogsAPIKeyAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) | When you generate a long-term API key for a service, the corresponding Amazon managed policy is automatically attached to the IAM user, granting access to core operations for that service. If you require additional access, you can modify the permissions for the IAM user. For information about modifying permissions, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md). For more information on how to use an Amazon Bedrock key, see [Use an Amazon Bedrock API key](https://docs.amazonaws.cn/bedrock/latest/userguide/api-keys-use.html) in the *Amazon Bedrock User Guide*. For more information on how to use bearer token for Amazon CloudWatch Logs, see [Bearer token authentication](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints_BearerTokenAuth.html) in the *CloudWatch Logs User Guide*. ## Prerequisites for long-term API keys Before you can generate a long-term API key in the IAM console, you must meet these prerequisites: + An IAM user to associate with the long-term API key. For instructions on creating an IAM user, see [Create an IAM user in your Amazon Web Services account](id_users_create.md). + You must have the following IAM policy permissions to manage service-specific credentials for an IAM user. The example policy grants permission to create, list, update, delete, and reset service-specific credentials. Replace the `username` value in the Resource element with the name of the IAM user you will generate long-term API keys for: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ManageBedrockServiceSpecificCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential" ], "Resource": "arn:aws-cn:iam::*:user/username" } ] } ``` ------ ## Generating a long-term API key (console) **To generate a long-term API key for a specific service in the IAM console** 1. Sign in to the Amazon Web Services Management Console and open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/). 1. In the navigation pane of the IAM console, choose **Users**. 1. Choose the IAM user you want to generate a long-term API key for. 1. Choose the **Security credentials** tab. 1. In the **API keys** section, choose **Generate API key**. 1. From the **Amazon service** dropdown list, choose the service that you want the API key to authenticate to. 1. For **API key expiration**, do one of the following: + Choose an API key expiration duration of **1**, **5**, **30**, **90**, or **365** days. + Choose **Custom duration** to specify a custom API key expiration date. + Choose **Never expires** (not recommended). 1. Choose **Generate API key**. 1. Copy or download your API key. This is the only time you can view the API key value. **Important** Store your API key securely. After you close the dialog box, you cannot retrieve the API key again. If you lose or forget your API key, you cannot retrieve it. Instead, generate a new API key and make the old key inactive. ## Generating a long-term API key (Amazon CLI) To generate a long-term API key using the Amazon CLI, use the following steps: 1. Create an IAM user that will be used with Amazon Bedrock or Amazon CloudWatch Logs using the [ create-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-user.html) command: ``` aws iam create-user \ --user-name APIKeyUser_1 ``` 1. Attach the Amazon managed policy to the IAM user using the [ attach-user-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-user-policy.html) command. For Amazon Bedrock: ``` aws iam attach-user-policy --user-name APIKeyUser_1 \ --policy-arn arn:aws:iam::aws:policy/AmazonBedrockLimitedAccess ``` For Amazon CloudWatch Logs: ``` aws iam attach-user-policy --user-name APIKeyUser_1 \ --policy-arn arn:aws:iam::aws:policy/CloudWatchLogsAPIKeyAccess ``` 1. Generate the long-term API key using the [ create-service-specific-credential](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-service-specific-credential.html) command. For Amazon Bedrock: ``` aws iam create-service-specific-credential \ --user-name APIKeyUser_1 \ --service-name bedrock.amazonaws.com \ --credential-age-days 30 ``` For Amazon CloudWatch Logs: ``` aws iam create-service-specific-credential \ --user-name APIKeyUser_1 \ --service-name logs.amazonaws.com \ --credential-age-days 30 ``` **Note** The `--credential-age-days` parameter is optional. You can specify a value between 1–36600 days. If you omit this parameter, the API key does not expire. The returned `ServiceApiKeyValue` in the response is your long-term API key for the respective service. Store the `ServiceApiKeyValue` value securely, as you cannot retrieve it later. ### List long-term API keys (Amazon CLI) To list long-term API keys metadata for a specific user, use the [ list-service-specific-credentials](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-service-specific-credentials.html) command with the `--user-name` parameter: ``` aws iam list-service-specific-credentials \ --service-name bedrock.amazonaws.com \ --user-name APIKeyUser_1 ``` **Note** Replace `bedrock.amazonaws.com` with the appropriate service name (for example, `logs.amazonaws.com` for Amazon CloudWatch Logs). To list all long-term API keys metadata in the account, use the [ list-service-specific-credentials](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-service-specific-credentials.html) command with the `--all-users` parameter: ``` aws iam list-service-specific-credentials \ --service-name bedrock.amazonaws.com \ --all-users ``` ### Update long-term API key status (Amazon CLI) To update the status of a long-term API key, use the [ update-service-specific-credential](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-service-specific-credential.html) command: ``` aws iam update-service-specific-credential \ --user-name "APIKeyUser_1" \ --service-specific-credential-id "ACCA1234EXAMPLE1234" \ --status Inactive|Active ``` ## Generating a long-term API key (Amazon API) You can use the following IAM API operations to manage long-term API keys for any supported service: + [https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html) + [https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListServiceSpecificCredentials.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListServiceSpecificCredentials.html) + [https://docs.amazonaws.cn/IAM/latest/APIReference/API_UpdateServiceSpecificCredential.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_UpdateServiceSpecificCredential.html) + [https://docs.amazonaws.cn/IAM/latest/APIReference/API_DeleteServiceSpecificCredential.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_DeleteServiceSpecificCredential.html) + [https://docs.amazonaws.cn/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html) ## Short-term API keys (Amazon Bedrock) Short-term API keys are currently supported by Amazon Bedrock only. For information on generating and using short-term API keys, see [Generate an API key](https://docs.amazonaws.cn/bedrock/latest/userguide/api-keys-generate.html) in the *Amazon Bedrock User Guide*. ## Service-specific information + For more information about using API keys with Amazon Bedrock, see [Use an Amazon Bedrock API key](https://docs.amazonaws.cn/bedrock/latest/userguide/api-keys-use.html) in the *Amazon Bedrock User Guide*. + For more information about using API keys with Amazon CloudWatch Logs, see [Log ingestion through HTTP endpoints](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints.html) in the *Amazon CloudWatch Logs User Guide*. # Use IAM with Amazon Keyspaces (for Apache Cassandra) Use IAM with Amazon Keyspaces Amazon Keyspaces (for Apache Cassandra) is a scalable, highly available, and managed Apache Cassandra-compatible database service. You can access Amazon Keyspaces through the Amazon Web Services Management Console, or programmatically. To access Amazon Keyspaces programmatically with service-specific credentials, you can use `cqlsh` or open-source Cassandra drivers. *Service-specific credentials* include a user name and password like those that Cassandra uses for authentication and access management. You can have a maximum of two sets of service-specific credentials for each supported service per user. To access Amazon Keyspaces programmatically with Amazon access keys, you can use the Amazon SDK, the Amazon Command Line Interface (Amazon CLI) or open-source Cassandra drivers with the SigV4 plugin. To learn more, see [Create and configure Amazon credentials for Amazon Keyspaces](https://docs.amazonaws.cn//keyspaces/latest/devguide/access.credentials.html) in the *Amazon Keyspaces (for Apache Cassandra) Developer Guide*. **Note** If you plan to interact with Amazon Keyspaces only through the console, you don't need to generate service-specific credentials. For more information, see [Accessing Amazon Keyspaces using the console](https://docs.amazonaws.cn/keyspaces/latest/devguide/console_keyspaces.html) in the *Amazon Keyspaces (for Apache Cassandra) Developer Guide*. For more information about the permissions required to access Amazon Keyspaces, see [Amazon Keyspaces (for Apache Cassandra) Identity-Based Policy Examples](https://docs.amazonaws.cn/keyspaces/latest/devguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console) in the *Amazon Keyspaces (for Apache Cassandra) Developer Guide*. ## Generating Amazon Keyspaces credentials (console) You can use the Amazon Web Services Management Console to generate Amazon Keyspaces (for Apache Cassandra) credentials for your IAM users. **To generate Amazon Keyspaces service-specific credentials (console)** 1. Sign in to the Amazon Web Services Management Console and open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/). 1. In the navigation pane, choose **Users** and then choose the name of the user that requires the credentials. 1. On the **Security Credentials** tab beneath **Credentials for Amazon Keyspaces (for Apache Cassandra)**, choose **Generate credentials**. 1. Your service-specific credentials are now available. This is the only time that the password can be viewed or downloaded. You cannot recover it later. However, you can reset your password at any time. Save the user and password in a secure location, because you'll need them later. ## Generating Amazon Keyspaces credentials (Amazon CLI) You can use the Amazon CLI to generate Amazon Keyspaces (for Apache Cassandra) credentials for your IAM users. **To generate Amazon Keyspaces service-specific credentials (Amazon CLI)** + Use the following command: + [aws iam create-service-specific-credential](https://docs.amazonaws.cn/cli/latest/reference/iam/create-service-specific-credential.html) ## Generating Amazon Keyspaces credentials (Amazon API) You can use the Amazon API to generate Amazon Keyspaces (for Apache Cassandra) credentials for your IAM users. **To generate Amazon Keyspaces service-specific credentials (Amazon API)** + Complete the following operation: + [CreateServiceSpecificCredential](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html)