Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS::IAM::AccessKey

Focus mode
AWS::IAM::AccessKey - AWS CloudFormation
Filter View

Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.

For information about quotas on the number of keys you can create, see IAM and AWS STS quotas in the IAM User Guide.

Important

To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can rotate access keys by increasing the value of the serial property.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::IAM::AccessKey", "Properties" : { "Serial" : Integer, "Status" : String, "UserName" : String } }

YAML

Type: AWS::IAM::AccessKey Properties: Serial: Integer Status: String UserName: String

Properties

Serial

This value is specific to CloudFormation and can only be incremented. Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.

Required: No

Type: Integer

Update requires: Replacement

Status

The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.

Required: No

Type: String

Allowed values: Active | Inactive

Update requires: No interruption

UserName

The name of the IAM user that the new key will belong to.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Required: Yes

Type: String

Pattern: [\w+=,.@-]+

Minimum: 1

Maximum: 128

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the AccessKeyId. For example: AKIAIOSFODNN7EXAMPLE.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

SecretAccessKey

Returns the secret access key for the specified AWS::IAM::AccessKey resource. For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY.

See also

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.