How to create and encrypt IAM access key in Pulumi?
TypeScriptIn AWS, IAM Access keys are long-term credentials for IAM users or AWS account root users. However, it is generally a best practice not to use IAM access keys, and instead use other forms of credentials like temporary credentials from IAM roles.
But if you still need to use IAM access keys, Pulumi's AWS package provides a way to manage the IAM user's access key. When creating an access key, AWS will actually return both the access key ID (which is safe to be unencrypted) and the secret access key, which is sensitive and should be encrypted. You can ensure this by using the
pulumi.secretwrapper to mark it as a secret.Note that the IAM secret access key generated will be visible in the CLI output, if you don't want this to happen, you have to disable the output by using
pulumi.secret.Here's an example of that:
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // Create an AWS IAM user const user = new aws.iam.User("myUser", {}); // Create an AWS IAM Access Key for the created user const key = new aws.iam.AccessKey("myKey", { user: user.name, // Reference the IAM user }); // Export the name of the user export const userName = user.name; // Encrypt the IAM secret access key export const secretAccessKey = pulumi.secret(key.secret);With this script, an IAM user and an access key for that user are created. The
pulumi.secretfunction will mark the IAM secret access key as a secret, ensuring it will be encrypted.You can access the plain text value of this secret outputs programmetically, by calling
await secretAccessKey.decrypt(). Use this sparingly and delete your history after using.You can find more information about Pulumi secret values in the Pulumi Documentation.
You can learn more about this resource in the Pulumi Registry documentation for aws.iam.AccessKey.