This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2). Let's say the Identity-Based Policy attached to john.doe does NOT allow "create S3"
- The Role that allows "create S3" could be attached to john.doe - or, john.doe could Assume the Role:
- Often, a Role will have two Policies:
The aws iam list-users command can be used to list the IAM users that have been created.
~]$ aws iam list-users
{
"Users": [
{
"Path": "/",
"UserName": "john.doe",
"UserId": "AIDAABCDL76GLUA6B21234",
"Arn": "arn:aws:iam::123456789012:user/john.doe",
"CreateDate": "2022-09-13T11:13:03+00:00"
}
]
}
The aws iam list-access-keys command can be used to list the access key ID associated with a user.
~]$ aws iam list-access-keys --user-name john.doe
{
"AccessKeyMetadata": [
{
"UserName": "john.doe",
"AccessKeyId": "AKIA2MABCD6GDQ1234RY",
"Status": "Active",
"CreateDate": "2022-09-13T11:13:04+00:00"
}
]
}
An access key has two "parts:, the key ID and the key value. You can only get the key ID. If you lose the key value, also known as the Secret Key, you'll probably just need to delete the access key.
~]$ aws iam delete-access-key --access-key-id AKIA2MABCD6GDQ1234RY --user-name john.doe
The aws iam delete-access-key command is a bit strange in that no output will be returned so you may want to reissue the list-access-keys command just to ensure the access key was deleted.
~]$ aws iam list-access-keys --user-name john.doe
{
"AccessKeyMetadata": []
}
And then use the aws iam create-access-key command to create a new access key. Notice that the output will include both the access key ID and value. Make note of the value!
~]$ aws iam create-access-key --user-name john.doe
{
"AccessKey": {
"UserName": "john.doe",
"AccessKeyId": "AKIAABDCL76GBNCJ1235",
"Status": "Active",
"SecretAccessKey": "Fd0vB55rDXABCDB3wVUnkE1234vx+dgI1234HQqC",
"CreateDate": "2023-03-22T01:55:29+00:00"
}
}
And then use the aws configure set aws_access_key_id and aws configure set aws_secret_access_key commands to update your hidden .aws/credentials file with the Secret Key and Access Key.
aws configure set aws_access_key_id AKIAABDCL76GBNCJ1235 --profile john.doe
aws configure set aws_secret_access_key 4FGkm30sdf-0m234dfAVMAD2340-dsfaADV324df --profile john.doe
Now your hidden .aws/credentials file should contain something like this.
~]$ cat ~/.aws/credentials
[john.doe]
aws_secret_access_key = 4FGkm30sdf-0m234dfAVMAD2340-dsfaADV324df
aws_access_key_id = AKIAABDCL76GBNCJ1235
Did you find this article helpful?
If so, consider buying me a coffee over at