Managing Access Keys for an IAM User
Description
Access keys are permanent identity credentials consisting of an access key ID (AK) and a secret access key (SK). You can use them to access Huawei Cloud using development tools, including APIs, CLI, and SDKs. However, you cannot use them to log in to the console. The system uses the AK to identify the access user and uses the SK to verify the signature. The encrypted signature verification ensures the confidentiality, integrity, and correctness of the requester's identity. In addition to access keys, temporary security credentials can also be used to access resources on Huawei Cloud using development tools. Access keys are permanent (unless you manually disable or delete them). If they are disclosed, they may have a great impact. Therefore, temporary security credentials are recommended. For more information about temporary security credentials, see Overview.
As an administrator, you can manage access keys for IAM users who have forgotten their access keys and do not have access to the console.
- You can manage access keys for IAM users on the Security Settings page of the IAM console. If a user can log in to the console, the user can manage access keys on the My Credentials page.
- Access keys are identity credentials used to call APIs. The account root user and IAM users can only use their own access keys to call APIs.
Notes and Constraints
Each user can have a maximum of two access keys, and the access keys are permanently valid.
Creating an Access Key
- Procedure
- In the IAM user list, click Security Settings in the Operation column of the row containing the desired IAM user.
Figure 1 Managing access keys for an IAM user
- In the Access Keys area, click Create Access Key.
Figure 2 Creating an access key
For security purposes, change the access keys of IAM users periodically.
- Click OK. An access key is automatically generated. Download the access key and send it to the IAM user.
- Permissions required for creating access keys
- A root user has full access permissions. No additional permissions are required.
- For IAM users, the administrator needs to grant permissions to them. For example, you can attach the following identity policy to an IAM user to create access keys:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "iam:credentials:createCredentialV5", "iam:credentials:listCredentialsV5" ], "Resource": [ "iam:*:*:user:{user-name}" ] } ] }
Update user-name in the policy as required.
Deleting an Access Key
- Procedure
- In the IAM user list, click Security Settings in the Operation column of the row containing the desired IAM user.
Figure 3 Managing access keys for an IAM user
- In the Access Keys area, click Disabled in the Operation column of the desired access key.
Figure 4 Disabling an access key
- In the displayed dialog box, click OK. Then, click Delete in the Operation column of the access key.
Figure 5 Deleting an access key
- In the displayed dialog box, enter DELETE and click OK.
- Permissions required for deleting an access key
- A root user has full access permissions. No additional permissions are required.
- For an IAM user, you need to grant permissions. For example, you can attach the following policy to an IAM user to delete access keys:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "iam:credentials:listCredentialsV5", "iam:credentials:deleteCredentialV5" ], "Resource": [ "iam:*:*:user:{user-name}" ] } ] }
Enabling/Disabling an Access Key
- New access keys are enabled by default. To disable an access key, perform the following steps:
- In the IAM user list, click Security Settings in the Operation column of the row containing the desired IAM user.
Figure 6 Managing access keys for an IAM user
- In the access key list, click Disable in the row containing the access key you want to disable.
Figure 7 Disabling an access key
- Confirm that disabling the access key has no impact on services, and then click OK on the displayed page.
The method of enabling an access key is similar to that of disabling an access key.
- Permissions required for enabling and disabling an access key
- A root user has full access permissions. No additional permissions are required.
- For an IAM user, you need to grant permissions. For example, you can attach the following policy to an IAM user to enable or disable access keys.
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "iam:credentials:listCredentialsV5", "iam:credentials:updateCredentialV5" ], "Resource": [ "iam:*:*:user:{user-name}" ] } ] }
Updating Access Keys for an IAM User
You can update access keys for an IAM user without interrupting applications.
For security purposes, change the access keys of IAM users periodically.
- In the IAM user list, click Security Settings in the Operation column of the row containing the desired IAM user.
Figure 8 Managing access keys for an IAM user
- In the Access Keys area, click Create Access Key.
Figure 9 Creating access keys
- Click OK. An access key is automatically generated. Download the access key and send it to the IAM user.
- As the IAM user, update all applications and tools using the new access keys.
- As the IAM user, check whether the last used time of the old access key is updated and continue checking for one week.
- If the last used time of the old access key does not change anymore, disable the old access key.
Figure 10 Disabling an access key
- Operate using the new access key. If any application or tool cannot work properly, enable the old access key. Repeat steps 4 to 7 to roll back to the old access key.
- Operate using the new access key for a period of time. Delete the old access key after you are sure that it is no longer required.
Figure 11 Disabling the old access key
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
