1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
.. Copyright 2010-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
International License (the "License"). You may not use this file except in compliance with the
License. A copy of the License is located at http://creativecommons.org/licenses/by-nc-sa/4.0/.
This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied. See the License for the specific language governing permissions and
limitations under the License.
.. _aws-boto3-iam-managing-access-keys:
########################
Managing IAM access keys
########################
This Python example shows you how to manage the access keys of your users.
The scenario
============
Users need their own access keys to make programmatic calls to AWS from the Amazon Web Services (AWS)
SDK for Python. To fill this need, you can create, modify, view, or rotate access keys
(access key IDs and secret access keys) for IAM users. By default, when you create an access key, its
status is Active, which means the user can use the access key for API calls.
In this example, Python code is used to manage access keys in IAM. The code uses the AWS SDK for Python
to manage IAM access keys using these methods of the IAM client class:
* `create_access_key <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_access_key>`_.
* `paginate(UserName='IAM_USER_NAME') <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.paginate>`_.
* `get_access_key_last_used <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_access_key_last_used>`_.
* `update_access_key <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.update_access_key>`_.
* `delete_access_key <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.delete_access_key>`_.
For more information about IAM access keys, see `Managing Access Keys <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html>`_
in the *IAM User Guide*.
All the example code for the Amazon Web Services (AWS) SDK for Python is available `here on GitHub <https://github.com/awsdocs/aws-doc-sdk-examples/tree/master/python/example_code>`_.
Prerequisite tasks
=================
To set up and run this example, you must first configure your AWS credentials, as described in :doc:`quickstart`.
Create access keys for a user
=============================
Create a new AWS secret access key and corresponding AWS access key ID for the specified user. The
default status for new keys is :code:`Active`.
The example below shows how to:
* Create a new AWS access key using
`create_access_key <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_access_key>`_.
Example
-------
.. code-block:: python
import boto3
# Create IAM client
iam = boto3.client('iam')
# Create an access key
response = iam.create_access_key(
UserName='IAM_USER_NAME'
)
print(response['AccessKey'])
List a user's access keys
=========================
List information about the access key IDs associated with the specified IAM user. If there are none,
the action returns an empty list.
If the UserName field is not specified, the UserName is determined implicitly based on the AWS access
key ID used to sign the request. Because this action works for access keys under the AWS account,
you can use this action to manage root credentials even if the AWS account has no associated users.
The example below shows how to:
* List a user's access keys using
`paginate(UserName='IAM_USER_NAME') <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.paginate>`_.
For more information about paginators see, :doc:`paginators`
Example
-------
.. code-block:: python
import boto3
# Create IAM client
iam = boto3.client('iam')
# List access keys through the pagination interface.
paginator = iam.get_paginator('list_access_keys')
for response in paginator.paginate(UserName='IAM_USER_NAME'):
print(response)
Get the access key last used
============================
Get information about when the specified access key was last used. The information includes the
date and time of last use, along with the AWS service and region that were specified in the last request
made with that key.
The example below shows how to:
* Get the access key last used using
`get_access_key_last_used <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_access_key_last_used>`_.
Example
-------
.. code-block:: python
import boto3
# Create IAM client
iam = boto3.client('iam')
# Get last use of access key
response = iam.get_access_key_last_used(
AccessKeyId='ACCESS_KEY_ID'
)
print(response['AccessKeyLastUsed'])
Update access key status
========================
Change the status of the specified access key from Active to Inactive, or vice versa. This action
can be used to disable a user's key as part of a key rotation work flow.
The example below shows how to:
* Change the status of an access key to :code:`Active` using
`update_access_key <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.update_access_key>`_.
Example
-------
.. code-block:: python
import boto3
# Create IAM client
iam = boto3.client('iam')
# Update access key to be active
iam.update_access_key(
AccessKeyId='ACCESS_KEY_ID',
Status='Active',
UserName='IAM_USER_NAME'
)
Delete an access key
====================
Delete the access key pair associated with the specified IAM user.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access
key ID signing the request. Because this action works for access keys under the AWS account, you can
use this action to manage root credentials even if the AWS account has no associated users.
The example below shows how to:
* Delete an access key using
`delete_access_key <https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.delete_access_key>`_.
Example
-------
.. code-block:: python
import boto3
# Create IAM client
iam = boto3.client('iam')
# Delete access key
iam.delete_access_key(
AccessKeyId='ACCESS_KEY_ID',
UserName='IAM_USER_NAME'
)
|
