I'd like to revoke the access key and associated secret that Amazon originally set up for me when I created an AWS account. Their docs have a section Deleting Access Keys from the Root User , but that described clicking a "Delete" button in the list of Access Keys in IAM.
However, no access keys were listed for me. I tried to create a new one to see if that would override the old one, but the old one still works. IAM now only lists the new one and thus only allows me to delete that one.
How do I delete the original one?
AWS doesn't setup a key/secret when you create an account.
It is possible you are confusing the IAM user with root user.
Related
We're using a AWS Access Key/Secret pair for S3 uploads on an old client website. During an audit, we discovered that the Access Key used for uploads, while still working, doesn't appear to exist in any IAM user for the client's AWS account. I ran aws sts get-access-key-info --access-key-id=[old key] and it provided the correct AWS account id for our client. But searching for this key in our IAM users (https://console.aws.amazon.com/iam/home?#/users) shows no results. How can this be? Can the Access Key live somewhere else outside IAM?
Accepted answer from #kdgregory
It could belong to the root user. If yes, then you very much want to disable it. – kdgregory 2 hours ago
AFAIK AWS Access Key/Secret you can only secure and store once you created the IAM user. I don't think you can get the Access Key and Secret pair again anywhere in AWS unless you have it stored somewhere (which is not a good practice BTW).
I am planning to rotate AWS keys.
My question is, will program throws an exception if we use expried AWS Keys?. If yes, what is the exception it is going to throw.
I didnt find any api to check the expired AWS Key.
Can someone pls help.
IAM Users can have two active Access Keys.
Therefore, the normal rotation process is:
Add a new Access Key
Update all software to use the new Access Key (this can take several days)
Revoke the old Access Key
Access Keys do not "expire". They are simply deleted. Trying to make a call on a deleted set of access keys will result in an error that the credentials are not found.
See: How to Rotate Access Keys for IAM Users | AWS Security Blog
I'm an admin user on my AWS account, so I have full access. Working through the console, I get no issues. When I try to work with programmatic access though, I get an access denied error. Does anybody have a clue why?
The code and all is OK, it works fine on my other AWS account on which I have admin access as well. Yes, I did change the AWS configuration to match the access keys to the right account.
If you are 100% sure that your code is correctly assuming your admin role and you admin role is having the admin policy, then you should be facing:
The resource(e.g., S3) you are trying to access has some explicit deny policy or not having an allow policy for you user.
IAM service latency. Say if you just create this user with admin access and you try to test that immediately with your code, it might happen that AWS thought you don't have enough permission. That happen to me when I created a new role, I saw delay can be up to 20 minutes, but that kind of delay is rare. But you cannot assume your update to IAM permissions to take effect immediately just like the EC2 security group.
Have you enabled MFA in the IAM account. If so, you cannot directly access the AWS CLI or API with Access key. You need to create a temporary Access and secret key and use those to access the AWS resource
With the access key that you configured earlier you need to create the temp access key. Refer the below links for procedure.
https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
Is there way to check which permissions or roles are associated with a specific AWS access key?
The problem is that I got a pair of keys working but they are not present in the AWS console. These key are used regularly from some internal process but I cannot find which one.
If I search for them in the console they don't appear and neither on the root account.
You can search for the user by Access key ID in the AWS console.
See this blog post for details and screenshots:
https://aws.amazon.com/blogs/security/introducing-iam-console-search/
Don't forget, that according to the blog post
... you must type the full access key ID when searching.
In the end I wasn't able to get the roles or policies associate with a specific user, but I was able to track down the user.
So the user was using the root credentials and since I am using a normal full administrator account I wasn't able to see these creds even on the console
Pretty scary thing :|
I have a user with read access on a bucket. Is there a way to authenticate with the users' credentials without using my secret key?
Something like (pseudo code):
auth = new S3Authentication(user, pass)
obj = S3::getObject(obj, auth)
Update
I discovered the solution to my own question. See below.
The original reason for asking this question was because I was operating under the assumption that the global access and security key needed to be use to generate the appropriate Authorization digest header.
This is not the case.
You can use Amazon's IAM to create a new key pair to use when authenticating. Here are the steps:
Create a new Group in IAM
Set the policy on the group to whatever you access you want users within this group to have. In my case, I just chose the S3 Read-Only policy template
Create a new user and put it in this group
Creating a new user will generate a new secret/access key specific to that user. You can use this pair to auth S3 transactions.
As an aside, you shouldn't need to mess with the bucket-specific permissions. In my case, I have no bucket permissions set (not even Authenticated users) and it works just fine.