Creating access keys for the root user - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating access keys for the root user

Warning

We strongly recommend that you do not create access key pairs for your root user. Because only a few tasks require the root user and you typically perform those tasks infrequently, we recommend signing in to the Amazon Web Services Management Console to perform the root user tasks.

Although we don't recommend it, you can create access keys for your root user so that you can run commands in the Amazon Command Line Interface (Amazon CLI) or use API operations from one of the Amazon SDKs using root user credentials.

Amazon Web Services Management Console
To create an access key for the Amazon Web Services account root user
Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • You must sign in as the Amazon Web Services account root user, which requires no additional Amazon Identity and Access Management (IAM) permissions. You can't perform these steps as an IAM user or role.

  1. Use your Amazon Web Services account's email address and password to sign in to the Getting Started with the Amazon Web Services Management Console as your Amazon Web Services account root user.

  2. In the upper right corner of the console, choose your account name or number and then choose Security Credentials.

  3. In the Access keys section, choose Create access key. If this option is not available, then you already have the maximum number of access keys. You must delete one of the existing access keys before you can create a new key. For more information, see IAM Object Quotas in the IAM User Guide.

  4. On the Alternatives to root user access keys page, review the security recommendations. To continue, select the check box, and then choose Create access key.

  5. On the Retrieve access key page, your Access key ID is displayed.

  6. Under Secret access key, choose Show and then copy the access key ID and secret key from your browser window and paste it somewhere secure. Alternatively, you can choose Download .csv file which will download a file named rootkey.csv that contains the access key ID and the secret key. Save the file somewhere safe.

  7. Choose Done. When you no longer need the access key we recommend that you delete it, or at least consider deactivating it so that no one can misuse it.

Amazon CLI & SDKs
To create an access key for the root user
Note

To run the following command or API operation as the root user, you must already have one active access key pair. If you don't have any access keys, create the first access key using the Amazon Web Services Management Console. Then, you can use the credentials from that first access key with the Amazon CLI to create the second access key, or to delete an access key.

  • Amazon CLI: aws iam create-access-key

    $ aws iam create-access-key
{
    "AccessKey": {
        "UserName": "MyUserName",
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "Status": "Active",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "CreateDate": "2021-04-08T19:30:16+00:00"
    }
}

  • Amazon API: CreateAccessKey in the IAM API Reference.