Skip to content

Resource: awsIamAccessKey

Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.

Example Usage

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamUserLb = new aws.iamUser.IamUser(this, "lb", {
  name: "loadbalancer",
  path: "/system/",
});
const dataAwsIamPolicyDocumentLbRo =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "lb_ro", {
    statement: [
      {
        actions: ["ec2:Describe*"],
        effect: "Allow",
        resources: ["*"],
      },
    ],
  });
const awsIamAccessKeyLb = new aws.iamAccessKey.IamAccessKey(this, "lb_2", {
  pgpKey: "keybase:some_person_that_exists",
  user: awsIamUserLb.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamAccessKeyLb.overrideLogicalId("lb");
const awsIamUserPolicyLbRo = new aws.iamUserPolicy.IamUserPolicy(
  this,
  "lb_ro_3",
  {
    name: "test",
    policy: dataAwsIamPolicyDocumentLbRo.json,
    user: awsIamUserLb.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamUserPolicyLbRo.overrideLogicalId("lb_ro");
new cdktf.TerraformOutput(this, "secret", {
  value: awsIamAccessKeyLb.encryptedSecret,
});

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamUserTest = new aws.iamUser.IamUser(this, "test", {
  name: "test",
  path: "/test/",
});
const awsIamAccessKeyTest = new aws.iamAccessKey.IamAccessKey(this, "test_1", {
  user: awsIamUserTest.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamAccessKeyTest.overrideLogicalId("test");
new cdktf.TerraformOutput(this, "aws_iam_smtp_password_v4", {
  value: awsIamAccessKeyTest.sesSmtpPasswordV4,
});

Argument Reference

The following arguments are supported:

  • pgpKey - (Optional) Either a base-64 encoded PGP public key, or a keybase username in the form keybase:somePersonThatExists, for use in the encryptedSecret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the a option to gpgExport).
  • status - (Optional) Access key status to apply. Defaults to active. Valid values are active and inactive.
  • user - (Required) IAM user to associate with this access key.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • createDate - Date and time in RFC3339 format that the access key was created.
  • encryptedSecret - Encrypted secret, base64 encoded, if pgpKey was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line, for example: terraformOutputRawEncryptedSecret |Base64Decode |KeybasePgpDecrypt.
  • encryptedSesSmtpPasswordV4 - Encrypted SES SMTP password, base64 encoded, if pgpKey was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line, for example: terraformOutputRawEncryptedSesSmtpPasswordV4 |Base64Decode |KeybasePgpDecrypt.
  • id - Access key ID.
  • keyFingerprint - Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
  • secret - Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgpKey instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
  • sesSmtpPasswordV4 - Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are apSouth1, apSoutheast2, euCentral1, euWest1, usEast1 and usWest2. See current AWS SES regions.

Import

IAM Access Keys can be imported using the identifier, e.g.,

$ terraform import aws_iam_access_key.example AKIA1234567890

Resource attributes such as encryptedSecret, keyFingerprint, pgpKey, secret, sesSmtpPasswordV4, and encryptedSesSmtpPasswordV4 are not available for imported resources as this information cannot be read from the IAM API.