Creating access keys for the root user - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating access keys for the root user


We strongly recommend that you do not create access key pairs for your root user. Because only a few tasks require the root user and you typically perform those tasks infrequently, we recommend signing in to the Amazon Web Services Management Console to perform the root user tasks. Before creating access keys, review the alternatives to long-term access keys.

Although we don't recommend it, you can create access keys for your root user so that you can run commands in the Amazon Command Line Interface (Amazon CLI) or use API operations from one of the Amazon SDKs using root user credentials. When you create access keys, you create the access key ID and secret access key as a set. During access key creation, Amazon gives you one opportunity to view and download the secret access key part of the access key. If you don't download it or if you lose it, you can delete the access key and then create a new one. You can create root user access keys with the console, Amazon CLI, or Amazon API.

A newly created access key has the status of active, which means that you can use the access key for CLI and API calls. You can assign up to two access keys to the root user.

Access keys that are not in use should be inactivated. Once an access key is inactive, you can't use it for API calls. Inactive keys still count toward your limit. You can create or delete an access key any time. However, when you delete an access key, it's gone forever and can't be retrieved.

Amazon Web Services Management Console
To create an access key for the Amazon Web Services account root user
Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • You must sign in as the Amazon Web Services account root user, which requires no additional Amazon Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.

  1. Use your Amazon Web Services account's email address and password to sign in to the Getting Started with the Amazon Web Services Management Console as your Amazon Web Services account root user.

  2. In the upper right corner of the console, choose your account name or number and then choose Security Credentials.

  3. In the Access keys section, choose Create access key. If this option is not available, then you already have the maximum number of access keys. You must delete one of the existing access keys before you can create a new key. For more information, see IAM Object Quotas.

  4. On the Alternatives to root user access keys page, review the security recommendations. To continue, select the check box, and then choose Create access key.

  5. On the Retrieve access key page, your Access key ID is displayed.

  6. Under Secret access key, choose Show and then copy the access key ID and secret key from your browser window and paste it somewhere secure. Alternatively, you can choose Download .csv file which will download a file named rootkey.csv that contains the access key ID and the secret key. Save the file somewhere safe.

  7. Choose Done. When you no longer need the access key we recommend that you delete it, or at least consider deactivating it so that no one can misuse it.

Amazon CLI & SDKs
To create an access key for the root user

To run the following command or API operation as the root user, you must already have one active access key pair. If you don't have any access keys, create the first access key using the Amazon Web Services Management Console. Then, you can use the credentials from that first access key with the Amazon CLI to create the second access key, or to delete an access key.

  • Amazon CLI: aws iam create-access-key

    $ aws iam create-access-key { "AccessKey": { "UserName": "MyUserName", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "Status": "Active", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "CreateDate": "2021-04-08T19:30:16+00:00" } }
  • Amazon API: CreateAccessKey in the IAM API Reference.