Iam Policy For Generating Access Key

Posted on by admin

AWS: Allows IAM Users to Manage Their Own Password, Access Keys, and SSH Public Keys on the My Security Credentials Page This example shows how you might create a policy that allows IAM users to manage their own password, access keys, and X.509 certificates on the My Security Credentials page. Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). For more information, see Signing AWS API Requests in the Amazon Web Services General Reference. Use Rancher to create a Kubernetes cluster in Amazon EC2. AWS EC2 Access Key and Secret Key that will be used to create the instances. See Amazon Documentation: Creating Access Keys how to create an Access Key and Secret Key.; IAM Policy created to add to the user of the Access Key And Secret Key. See Amazon Documentation: Creating IAM Policies (Console) how to create an IAM policy. Apr 10, 2020  Console. Open the IAM & Admin page in the Cloud Console. Open the IAM & Admin page. Click Select a project, choose a project, and click Open. In the left nav, click Service accounts. Find the row of the service account that you want to create a key for. In that row, click the More morevert button, and then click Create key. Select a Key type and click Create. First you create a Policy to allow access to a single S3 bucket (IAM - Policies - Create Policy). You can use AWS Policy Generator. When accessing S3 with a client program, you must use API access key. Select the user in IAM and use 'Create access key' in the 'Security credentials' tab.

  1. Iam Access Keys
  2. Aws Create Access Key Iam
  3. Iam Policy For Generating Access Keys


In the video on the left, Emanuel shows you
how to create an AWS access key for an existing IAM user


In the video on the right, Deren shows you
how to create an access key ID for a new IAM user

I need an AWS access key to allow a program, script, or developer to have programmatic access to the resources on my AWS account. How do I create a new access key?

An access key grants programmatic access to your resources. This means that the access key should be guarded as carefully as the AWS account root user sign-in credentials.

It's a best practice to do the following:

  1. Create an IAM user and then define that user's permissions as narrowly as possible.
  2. Create the access key under that IAM user.

For more information, see What are some best practices for securing my AWS account and its resources?

Did this page help you? Yes No

Back to the AWS Support Knowledge Center

Iam Access Keys

Need help? Visit the AWS Support Center

Published: 2016-01-28

Updated: 2018-10-24

This topic describes the basics of working with Oracle Cloud Infrastructure Identity and Access Management (IAM) user credentials. If you're not already familiar with the available credentials, see User Credentials.

Working with Console Passwords and API Keys

Each user automatically has the ability to change or reset their ownConsole password, as well as manage their own API keys. An administrator does not need to create a policy to give a user those abilities.

To manage credentials for users other than yourself, you must be in the Administrators group or some other group that has permission to work with the tenancy. Having permission to work with a compartment within the tenancy is not sufficient. For more information, see The Administrators Group and Policy.

IAM administrators (or anyone with permission to the tenancy) can use either the Console or the API to manage all aspects of both types of credentials, for themselves and all other users. This includes creating an initial one-time password for a new user, resetting a password, uploading API keys, and deleting API keys.

Users who are not administrators can manage their own credentials. In the Console, users can:

  • Change or reset their own password.
  • Upload an API key in the Console for their own use (and also delete their own API keys).

And with the API, users can:

  • Reset their own password with CreateOrResetUIPassword.
  • Upload an additional API key to the IAM service for their own use with UploadApiKey (and also delete their own API keys with DeleteApiKey). Remember that a user can't use the API to change or delete their own credentials until they themselves upload a key in the Console, or an administrator uploads a key for that user in the Console or the API.

A user can have a maximum of three API keys at a time.

Working with Auth Tokens

Note
'Auth tokens' were previously named 'Swift passwords'. Any Swift passwords you had created are now listed in the Console as auth tokens. You can continue to use the existing passwords.

Auth tokens are Oracle-generated token strings that you can use to authenticate with third-party APIs that do no support Oracle Cloud Infrastructure's signature-based authentication. Each user created in the IAM service automatically has the ability to create, update, and delete their own auth tokens in the Console or the API. An administrator does not need to create a policy to give a user those abilities. Administrators (or anyone with permission to the tenancy) also have the ability to manage auth tokens for other users.

Note that you cannot change your auth token to a string of your own choice. The token is always an Oracle-generated string.

Auth tokens do not expire. Each user can have up to two auth tokens at a time. To get an auth token in the Console, see To create an auth token.

Using an Auth Token with Swift

Swift is the OpenStack object store service. If you already have an existing Swift client, you can use it with the Recovery Manager (RMAN) to back up an Oracle Database System (DB System) database to Object Storage. You will need to get an auth token to use as your Swift password. When you sign in to your Swift client, you provide the following:

  • Your Oracle Cloud InfrastructureConsole user login
  • Your Swift-specific auth token, provided by Oracle
  • Your organization's Oracle tenant name

Any user of a Swift client that integrates with Object Storage needs permission to work with the service. If you're not sure if you have permission, contact your administrator. For information about policies, see How Policies Work. For basic policies that enable use of Object Storage, see Common Policies.

Working with Customer Secret Keys

Note
'Customer Secret keys' were previously named 'Amazon S3 Compatibility API keys'. Any keys you had created are now listed in the Console as Customer Secret keys. You can continue to use the existing keys.

Object Storage provides an API to enable interoperability with Amazon S3. To use this Amazon S3 Compatibility API, you need to generate the signing key required to authenticate with Amazon S3. This special signing key is an Access Key/Secret Key pair. Oracle provides the Access Key that is associated with your Console user login. You or your administrator generates the Customer Secret key to pair with the Access Key.

Each user created in the IAM service automatically has the ability to create, update, and delete their own Customer Secret keys in the Console or the API. An administrator does not need to create a policy to give a user those abilities. Administrators (or anyone with permission to the tenancy) also have the ability to manage Customer Secret keys for other users.

Any user of the Amazon S3 Compatibility API with Object Storage needs permission to work with the service. If you're not sure if you have permission, contact your administrator. For information about policies, see How Policies Work. For basic policies that enable use of Object Storage, see Common Policies.

Customer Secret keys do not expire. Each user can have up to two Customer Secret keys at a time. To create keys using the Console, see To create a Customer Secret key.

Working with SMTP Credentials

Simple Mail Transfer Protocol (SMTP) credentials are needed in order to send email through the Email Delivery service. Each user is limited to a maximum of two SMTP credentials. If more than two are required, they must be generated on other existing users or additional users must be created.

Note

Aws Create Access Key Iam


You cannot change your SMTP username or password to a string of your own choice. The credentials are always Oracle-generated strings.

Each user created in the IAM service automatically has the ability to create and delete their own SMTP credentials in the Console or the API. An administrator does not need to create a policy to give a user those abilities. Administrators (or anyone with permission to the tenancy) also have the ability to manage SMTP credentials for other users.

Tip
Although each user can create and delete their own credentials, it is a security best practice to create a new user and generate SMTP credentials on this user rather than generating SMTP credentials on your Console user that already has permissions assigned to it.

SMTP credentials do not expire. Each user can have up to two credentials at a time. To get SMTP credentials in the Console, see To generate SMTP credentials.

For information about using the Email Delivery service, see Overview of the Email Delivery Service.

Using the Console

To change your Console password

Iam Policy For Generating Access Keys

You're prompted to change your initial one-time password the first time you sign in to the Console. The following procedure is for changing your password again later.

Note

For Federated Users

If your company uses an identity provider (other than Oracle Identity Cloud Service) to manage user logins and passwords, you can't use the Console to update your password. You do that with your identity provider.

  1. Sign in to the Console using the Oracle Cloud Infrastructure Username and Password.

  2. After you sign in, go to the top-right corner of the Console, open the Profile menu () and then click Change Password.

  3. Enter the current password.
  4. Follow the prompts to enter the new password, and then click Save New Password.
To create or reset another user's Console password

If you're an administrator, you can use the following procedure to create or reset a user's password. The procedure generates a new one-time password that the user must change the next time they sign in to the Console.

  1. View the user's details: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Click Create/Reset Password.
    The new one-time password is displayed. If you're an administrator performing the task for another user, you need to securely deliver the new password to the user. The user will be prompted to change their password the next time they sign in to the Console. If they don't change it within 7 days, the password will expire and you'll need to create a new one-time password for the user.
To reset your password if you forgot it

If you have an email address in your user profile, you can use the Forgot Password link on the sign on page to have a temporary password sent to you. If you don't have an email address in your user profile, you must ask an administrator to reset your password for you.

To unblock a user

If you're an administrator, you can unblock a user who has tried 10 times in a row to sign in to the Console unsuccessfully. See To unblock a user.

To upload an API signing key

The following procedure works for a regular user or an administrator. Administrators can upload an API key for either another user or themselves.

Important

The API key must be an RSA key in PEM format (minimum 2048 bits). The PEM format looks something like this:

For more information about generating a public PEM key, see Required Keys and OCIDs.

  1. View the user's details:
    • If you're uploading an API key for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator uploading an API key for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Click Add Public Key.

  3. Paste the key's value into the window and click Add.

    The key is added and its fingerprint is displayed (example fingerprint: d1:b2:32:53:d3:5f:cf:68:2d:6f:8b:5f:77:8f:07:13).

Note

When making API requests, you'll need the key's fingerprint, along with your tenancy's OCID and user OCID. See Required Keys and OCIDs.

To delete an API signing key

The following procedure works for a regular user or an administrator. Administrators can delete an API key for either another user or themselves.

  1. View the user's details:
    • If you're deleting an API key for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator deleting an API key for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. For the API key you want to delete, click Delete.
  3. Confirm when prompted.

The API key is no longer valid for sending API requests.

To create an auth token
  1. View the user's details:
    • If you're creating an auth token for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator creating an auth token for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. On the left side of the page, click Auth Tokens.
  3. Click Generate Token.
  4. Enter a description that indicates what this token is for, for example, 'Swift password token'.
  5. Click Generate Token.
    The new token string is displayed.
  6. Copy the token string immediately, because you can't retrieve it again after closing the dialog box.

Does wep generate a new dynamic key. If you're an administrator creating an auth token for another user, you need to securely deliver it to the user by providing it verbally, printing it out, or sending it through a secure email service.

To delete an auth token

The following procedure works for a regular user or an administrator. Administrators can delete an auth token for either another user or themselves.

  1. View the user's details:
    • If you're deleting an auth token for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator deleting an auth token for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. On the left side of the page, click Auth Tokens.
  3. For the auth token you want to delete, click Delete.
  4. Confirm when prompted.

The auth token is no longer valid for accessing third-party APIs.

To create a Customer Secret key
  1. View the user's details:
    • If you're creating a Customer Secret key for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator creating a Customer Secret key for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.

  2. On the left side of the page, click Customer Secret Keys.

    A Customer Secret key consists of an Access Key/Secret key pair. Oracle automatically generates the Access Key when you or your administrator generates the Secret Key to create the Customer Secret key.

  3. Click Generate Secret Key.

  4. Enter a friendly description for the key and click Generate Secret Key.

    The generated Secret Key is displayed in the Generate Secret Key dialog box. At the same time, Oracle generates the Access Key that is paired with the Secret Key. The newly generated Customer Secret key is added to the list of Customer Secret Keys.

  5. Copy the Secret Key immediately, because you can't retrieve the Secret Key again after closing the dialog box for security reasons.

    If you're an administrator creating a Secret Key for another user, you need to securely deliver it to the user by providing it verbally, printing it out, or sending it through a secure email service.

  6. Click Close.
  7. To show or copy the Access Key, click the Show or Copy action to the left of the Name of a particular Customer Secret key.
To delete a Customer Secret key

The following procedure works for a regular user or an administrator. Administrators can delete a Customer Secret key for either another user or themselves.

  1. View the user's details:
    • If you're deleting a Customer Secret key for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator deleting a Customer Secret key for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. On the left side of the page, click Customer Secret Keys.
  3. For the Customer Secret key you want to delete, click Delete.
  4. Confirm when prompted.

The Customer Secret key is no longer available to use with the Amazon S3 Compatibility API.

To generate SMTP credentials
  1. View the user's details:
    • If you're generating SMTP credentials for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator generating SMTP credentials for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Click SMTP Credentials.

  3. Click Generate SMTP Credentials.

  4. Enter a Description of the SMTP Credentials in the dialog box.
  5. Click Generate SMTP Credentials. A user name and password is displayed.

  6. Copy the user name and password for your records and click Close. Copy the credentials immediately, because you can't retrieve the password again after closing the dialog box for security reasons.

    If you're an administrator creating the credential set for another user, you need to securely deliver it to the user by providing it verbally, printing it out, or sending it through a secure email service.

To delete SMTP credentials

The following procedure works for a regular user or an administrator. Administrators can delete SMTP credentials for either another user or themselves.

  1. View the user's details:
    • If you're deleting SMTP credentials for yourself: Open the Profile menu () and click User Settings.
    • If you're an administrator deleting SMTP credentials for another user: In the Console, click Identity, and then click Users. Locate the user in the list, and then click the user's name to view the details.
  2. On the left side of the page, click SMTP Credentials.
  3. For the SMTP credentials you want to delete, click Delete.
  4. Confirm when prompted.

The SMTP credentials are no longer available to use with the Email Delivery service.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use this API operation to manage Console passwords and access:

  • CreateOrResetUIPassword: This generates a new one-time Console password for the user. The next time the user signs in to the Console, they'll be prompted to change the password.
  • UpdateUserState: Unblocks a user who has tried to sign in 10 times in a row unsuccessfully.

Use these API operations to manage API signing keys:

Use these API operations to manage auth tokens:

  • UpdateAuthToken: You can only update the auth token's description, not change the token string itself.

Use these API operations to manage Customer Secret keys:

  • UpdateCustomerSecretKey: You can only update the secret key's description, not change the key itself.

Use these API operations to manage SMTP credentials:

  • UpdateSmtpCredential: You can only update the description.