Programmatic access with Amazon security credentials
We recommend using short-term access keys when possible to make programmatic calls to Amazon or to use the Amazon Command Line Interface or Amazon Tools for PowerShell. However, you can also use long-term Amazon access keys for these purposes.
When you create a long-term access key, you create the access key ID (for example,
AKIAIOSFODNN7EXAMPLE) and secret access key (for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) as a set. The secret access key is available for download
only when you create it. If you don't download your secret access key or if you lose it, you
must create a new one.
In many scenarios, you don't need long-term access keys that never expire (as you have when you create access keys for an IAM user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security credentials include an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire. After they expire, they're no longer valid. For more information, see Alternatives to long-term access keys
Access key IDs beginning with AKIA are long-term access keys for an IAM user
or an Amazon Web Services account root user. Access key IDs beginning with ASIA are temporary
credentials access keys that you create using Amazon STS operations.
Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.
To grant users programmatic access, choose one of the following options.
| Which user needs programmatic access? | To | By |
|---|---|---|
| IAM | Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in Using temporary credentials with Amazon resources in the IAM User Guide. |
| IAM | (Not recommended) Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). |
Following the instructions in Managing access keys for IAM users in the IAM User Guide. |
Alternatives to long-term access keys
For many common use cases, there are alternatives to long-term access keys. To improve your account security, consider the following.
-
Don't embed long-term access keys and secret access keys in your application code or in a code repository – Instead, use Amazon Secrets Manager, or other secrets management solution, so you don't have to hardcode keys in plaintext. The application or client can then retrieve secrets when needed. For more information, see What is Amazon Secrets Manager? in the Amazon Secrets Manager User Guide.
-
Use IAM roles to generate temporary security credentials whenever possible – Always use mechanisms to issue temporary security credentials when possible, rather than long-term access keys. Temporary security credentials are more secure because they are not stored with the user but are generated dynamically and provided to the user when requested. Temporary security credentials have a limited lifetime so you don't have to manage or update them. Mechanisms that provide temporary access keys include IAM roles or the authentication of an IAM Identity Center user. For machines that run outside of Amazon you can use Amazon Identity and Access Management Roles Anywhere.
-
Use alternatives to long-term access keys for the Amazon Command Line Interface (Amazon CLI) or the
aws-shell– Alternatives include the following.-
Amazon CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the Amazon Web Services Management Console. You can run Amazon CLI commands against Amazon Web Services services through your preferred shell (Bash, Powershell, or Z shell). When you do this, you don't need to download or install command line tools. For more information, see What is Amazon CloudShell? in the Amazon CloudShell User Guide.
-
Amazon CLI Version 2 integration with Amazon IAM Identity Center (IAM Identity Center). You can authenticate users and provide short-term credentials to run Amazon CLI commands. To learn more, see Integrating Amazon CLI with IAM Identity Center in the Amazon IAM Identity Center User Guide and Configuring the Amazon CLI to use IAM Identity Center in the Amazon Command Line Interface User Guide.
-
-
Don't create long-term access keys for human users who need access to applications or Amazon Web Services services – IAM Identity Center can generate temporary access credentials for your external IdP users to access Amazon Web Services services. This eliminates the need to create and manage long-term credentials in IAM. In IAM Identity Center, create an IAM Identity Center permission set that grants the external IdP users access. Then assign a group from IAM Identity Center to the permission set in the selected Amazon Web Services accounts. For more information, see What is Amazon IAM Identity Center, Connect to your external identity provider, and Permission sets in the Amazon IAM Identity Center User Guide.
-
Don't store long-term access keys within an Amazon compute service – Instead, assign an IAM role to compute resources. This automatically supplies temporary credentials to grant access. For example, when you create an instance profile that is attached to an Amazon EC2 instance, you can assign an Amazon role to the instance and make it available to all of its applications. An instance profile contains the role and enables programs that are running on the Amazon EC2 instance to get temporary credentials. To learn more, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances.