← All posts
2 min read

Create an IAM user access key carefully

#aws#cli#iam#security#identity#credentials
📑 On this page

Part 119 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Access keys are long-term credentials. Prefer IAM Identity Center for humans and roles for workloads; create a user key only for a justified legacy requirement.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

umask 077
aws iam create-access-key \
  --user-name "$USER_NAME"   > new-access-key.json
ACCESS_KEY_ID=$(node -p "require('./new-access-key.json').AccessKey.AccessKeyId")

The secret access key appears only in the create response. Protect the file immediately and move the secret into an approved secret store.

Inspect the result

aws iam list-access-keys \
  --user-name "$USER_NAME" \
  --query "AccessKeyMetadata[].{ID:AccessKeyId,Status:Status,Created:CreateDate}" \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam get-access-key-last-used \
  --access-key-id "$ACCESS_KEY_ID"

Last-used data can help assess whether a key is still needed, though reporting can lag.

Common mistake

Never commit, email, paste into tickets, or print the secret into shared logs. If exposure is possible, deactivate and replace the key.

Cleanup

aws iam update-access-key \
  --user-name "$USER_NAME" \
  --access-key-id "$ACCESS_KEY_ID" \
  --status Inactive

Deactivate the demo key immediately. Delete it after confirming it is not used. Securely remove the local JSON file.

Next, we will learn List IAM access key metadata.

Official AWS CLI reference