List IAM access key metadata
📑 On this page
Part 120 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
list-access-keys never returns secret access keys. It is safe for metadata inventory when output handling is appropriate.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
aws iam list-access-keys \
--user-name "$USER_NAME"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam list-access-keys \
--user-name "$USER_NAME" \
--query "AccessKeyMetadata[].{ID:AccessKeyId,Status:Status,Created:CreateDate}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
KEY_ID=$(aws iam list-access-keys \
--user-name "$USER_NAME" \
--query "AccessKeyMetadata[0].AccessKeyId" \
--output text)
aws iam get-access-key-last-used --access-key-id "$KEY_ID"Usage metadata helps prioritize old or apparently unused keys for investigation.
Common mistake
An old creation date does not prove a key is unused, and a missing recent-use record is not enough evidence for immediate deletion. Trace consumers first.
Cleanup
# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identityKeep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.
Next, we will learn Deactivate and reactivate an IAM access key.