1. IAM Credentials Overview
AWS Identity and Access Management (IAM) provides self-managed, fine grain, access controls applied to individual users and groups.
ITSD provides an initial IAM user, you may then create and manage additional ones.
The IAM 'accesskey' and 'secretkey' credential values are obtained when IAM users are created and may thereafter be used for interactive or automated workflows.
These keys provide access to (or control of) AWS resources. Similar to a username and password they should be protected and securely shared with only those intended.
This pair of values are used when configuring the aws cli client, or graphical tools. You may then use the clients for to interact with AWS services and perform operations (S3 storage commands, launch VMs, etc)
Multiple IAM Users
While you may use the root account IAM user credentials initially provided by ITSD, it is suggested to create additional IAM users with permissions limited to their intended use.
Example: Within the AWS web console account, create an IAM user and grant them S3 access. This will create a new 'accesskey' and 'secretkey' credential pair. See this guide for detailed steps.
IAM Named Profiles
You may have several IAM users, for accessing S3 buckets, controlling VMs, etc. owned by different projects.
Creating named profiles prevents having to re-configure the aws cli each time you wish to use a different IAM user.
You can define profiles for each and easily specify which to use via the aws cli
--profile option. More information on multiple named profiles is available in the S3 guide
2. IAM User Expiration
By default IAM users do not expire, though can be managed and manually expired by the AWS account holder.
If the access keys have been revoked the
aws commands will produce an error message similar to the one below.
An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS access key Id you provided does not exist in our records.
Graphical clients will produce similar errors.