Rotate an IAM access key with overlap
📑 On this page
Part 122 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
A controlled rotation briefly overlaps old and new keys, updates every consumer, validates the replacement, and then removes the old key.
Before you run it
USER_NAME="aws-zero-learner"
OLD_KEY_ID="replace-with-current-key-id"An IAM user can have at most two access keys. Inventory current keys and consumers before creating another.
The command
umask 077
aws iam create-access-key \
--user-name "$USER_NAME" > replacement-key.json
# Update the approved secret store and every consumer, then test them.
aws iam update-access-key \
--user-name "$USER_NAME" \
--access-key-id "$OLD_KEY_ID" \
--status InactiveKeep the old key inactive for a short monitored rollback window only if your security process permits.
Inspect the result
aws iam list-access-keys \
--user-name "$USER_NAME" \
--query "AccessKeyMetadata[].{ID:AccessKeyId,Status:Status,Created:CreateDate}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam delete-access-key \
--user-name "$USER_NAME" \
--access-key-id "$OLD_KEY_ID"Delete the old key after monitoring proves the replacement is working everywhere.
Common mistake
Creating the replacement is not rotation completion. Forgotten consumers, stale secrets, and an old active key leave the original risk in place.
Cleanup
NEW_KEY_ID=$(aws iam list-access-keys \
--user-name "$USER_NAME" \
--query "sort_by(AccessKeyMetadata,&CreateDate)[-1].AccessKeyId" \
--output text)
aws iam update-access-key \
--user-name "$USER_NAME" \
--access-key-id "$NEW_KEY_ID" \
--status InactiveFor this demo, deactivate the replacement too and delete both keys after confirming they are unused. Securely remove replacement-key.json.
Next, we will learn Generate an IAM credential report.