Create an IAM user access key carefully
📑 On this page
Part 119 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
Access keys are long-term credentials. Prefer IAM Identity Center for humans and roles for workloads; create a user key only for a justified legacy requirement.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
umask 077
aws iam create-access-key \
--user-name "$USER_NAME" > new-access-key.json
ACCESS_KEY_ID=$(node -p "require('./new-access-key.json').AccessKey.AccessKeyId")The secret access key appears only in the create response. Protect the file immediately and move the secret into an approved secret store.
Inspect the result
aws iam list-access-keys \
--user-name "$USER_NAME" \
--query "AccessKeyMetadata[].{ID:AccessKeyId,Status:Status,Created:CreateDate}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam get-access-key-last-used \
--access-key-id "$ACCESS_KEY_ID"Last-used data can help assess whether a key is still needed, though reporting can lag.
Common mistake
Never commit, email, paste into tickets, or print the secret into shared logs. If exposure is possible, deactivate and replace the key.
Cleanup
aws iam update-access-key \
--user-name "$USER_NAME" \
--access-key-id "$ACCESS_KEY_ID" \
--status InactiveDeactivate the demo key immediately. Delete it after confirming it is not used. Securely remove the local JSON file.
Next, we will learn List IAM access key metadata.