← All posts
2 min read

List IAM access key metadata

#aws#cli#iam#security#identity#credentials
📑 On this page

Part 120 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

list-access-keys never returns secret access keys. It is safe for metadata inventory when output handling is appropriate.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam list-access-keys \
  --user-name "$USER_NAME"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam list-access-keys \
  --user-name "$USER_NAME" \
  --query "AccessKeyMetadata[].{ID:AccessKeyId,Status:Status,Created:CreateDate}" \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

KEY_ID=$(aws iam list-access-keys \
  --user-name "$USER_NAME" \
  --query "AccessKeyMetadata[0].AccessKeyId" \
  --output text)
aws iam get-access-key-last-used --access-key-id "$KEY_ID"

Usage metadata helps prioritize old or apparently unused keys for investigation.

Common mistake

An old creation date does not prove a key is unused, and a missing recent-use record is not enough evidence for immediate deletion. Trace consumers first.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Deactivate and reactivate an IAM access key.

Official AWS CLI reference