Managing IAM access keys

This Python example shows you how to manage the access keys of your users.

The scenario

Users need their own access keys to make programmatic calls to AWS from the Amazon Web Services (AWS) SDK for Python. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users. By default, when you create an access key, its status is Active, which means the user can use the access key for API calls.

In this example, Python code is used to manage access keys in IAM. The code uses the AWS SDK for Python to manage IAM access keys using these methods of the IAM client class:

For more information about IAM access keys, see Managing Access Keys in the IAM User Guide.

All the example code for the Amazon Web Services (AWS) SDK for Python is available here on GitHub.

Prerequisite tasks

To set up and run this example, you must first configure your AWS credentials, as described in Quickstart.

Create access keys for a user

Create a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.

The example below shows how to:

Example

import boto3

# Create IAM client
iam = boto3.client('iam')

# Create an access key
response = iam.create_access_key(
    UserName='IAM_USER_NAME'
)

print(response['AccessKey'])

List a user's access keys

List information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list.

If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

The example below shows how to:

For more information about paginators see, Paginators

Example

import boto3

# Create IAM client
iam = boto3.client('iam')

# List access keys through the pagination interface.
paginator = iam.get_paginator('list_access_keys')
for response in paginator.paginate(UserName='IAM_USER_NAME'):
    print(response)

Get the access key last used

Get information about when the specified access key was last used. The information includes the date and time of last use, along with the AWS service and region that were specified in the last request made with that key.

The example below shows how to:

Example

import boto3


# Create IAM client
iam = boto3.client('iam')

# Get last use of access key
response = iam.get_access_key_last_used(
    AccessKeyId='ACCESS_KEY_ID'
)

print(response['AccessKeyLastUsed'])

Update access key status

Change the status of the specified access key from Active to Inactive, or vice versa. This action can be used to disable a user's key as part of a key rotation work flow.

The example below shows how to:

Example

import boto3

# Create IAM client
iam = boto3.client('iam')

# Update access key to be active
iam.update_access_key(
    AccessKeyId='ACCESS_KEY_ID',
    Status='Active',
    UserName='IAM_USER_NAME'
)

Delete an access key

Delete the access key pair associated with the specified IAM user.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

The example below shows how to:

Example

import boto3

# Create IAM client
iam = boto3.client('iam')

# Delete access key
iam.delete_access_key(
    AccessKeyId='ACCESS_KEY_ID',
    UserName='IAM_USER_NAME'
)