Creates a new Amazon Web Services secret access key and corresponding Amazon Web Services access key ID for the specified user. The default status for new keys is Active .

If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web Services access key ID signing the request. This operation works for access keys under the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root user credentials. This is true even if the Amazon Web Services account has no associated users.

For information about quotas on the number of keys you can create, see IAM and STS quotas in the IAM User Guide .


To ensure the security of your Amazon Web Services account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.

See also: AWS API Documentation

Request Syntax

response = client.create_access_key(
UserName (string) --

The name of the IAM user that the new key will belong to.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Return type
Response Syntax
    'AccessKey': {
        'UserName': 'string',
        'AccessKeyId': 'string',
        'Status': 'Active'|'Inactive',
        'SecretAccessKey': 'string',
        'CreateDate': datetime(2015, 1, 1)

Response Structure

  • (dict) --

    Contains the response to a successful CreateAccessKey request.

    • AccessKey (dict) --

      A structure with details about the access key.

      • UserName (string) --

        The name of the IAM user that the access key is associated with.

      • AccessKeyId (string) --

        The ID for this access key.

      • Status (string) --

        The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.

      • SecretAccessKey (string) --

        The secret key used to sign requests.

      • CreateDate (datetime) --

        The date when the access key was created.


  • IAM.Client.exceptions.NoSuchEntityException
  • IAM.Client.exceptions.LimitExceededException
  • IAM.Client.exceptions.ServiceFailureException


The following command creates an access key (access key ID and secret access key) for the IAM user named Bob.

response = client.create_access_key(


Expected Output:

    'AccessKey': {
        'AccessKeyId': 'AKIAIOSFODNN7EXAMPLE',
        'CreateDate': datetime(2015, 3, 9, 18, 39, 23, 0, 68, 0),
        'SecretAccessKey': 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY',
        'Status': 'Active',
        'UserName': 'Bob',
    'ResponseMetadata': {
        '...': '...',