Skip to main content
  1. Docs
  2. Secrets & Configuration
  3. Providers
  4. Rotators
  5. aws-iam

aws-iam

    The aws-iam rotator enables you to rotate access credentials for an AWS IAM user in your Environment. Check out the aws-login documentation to learn more about authenticating with AWS.

    Example

    # my-org/logins/production
    values:
      aws:
        region: us-west-2
        login:
          fn::open::aws-login:
            oidc:
              roleArn: arn:aws:iam::123456789:role/esc-oidc
              sessionName: pulumi-environments-session
              subjectAttributes:
                - currentEnvironment.name
    
    # my-org/rotators/key-rotator
    values:
      iam:
        fn::rotate::aws-iam:
          inputs:
            region: ${environments.logins.production.aws.region}
            login: ${environments.logins.production.aws.login}
            userArn: arn:aws:iam::<account id>:user/<username>
    

    If you have existing access and secret key(s) you want ESC to keep track of, you can optionally provide an initial state.

    # my-org/rotators/key-rotator
    values:
      iam:
        fn::rotate::aws-iam:
          inputs:
            region: ${environments.logins.production.aws.region}
            login: ${environments.logins.production.aws.login}
            userArn: arn:aws:iam::<account id>:user/<username>
          state:
            current:
              accessKeyId: <access key>
              secretAccessKey:
                fn::secret: <secret key>
            previous:
              accessKeyId: <access key>
              secretAccessKey:
                fn::secret: <secret key>
    

    Alternative: static credentials

    Instead of an OIDC login, you can supply static AWS credentials directly to the rotator’s login. The managing credentials must have permission to rotate the target user’s access keys:

    # my-org/rotators/key-rotator
    values:
      iam:
        fn::rotate::aws-iam:
          inputs:
            region: us-west-2
            login:
              accessKeyId: <access key>
              secretAccessKey:
                fn::secret: <secret key>
            userArn: arn:aws:iam::<account id>:user/<username>
    

    Schema reference

    Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.

    Inputs

    • login AWSLogin required
      The AWS credentials to use.
    • accessKeyId string required
      The AWS access key ID.
    • secretAccessKey string required
      The AWS secret access key.
    • sessionToken string optional
      The AWS session token, if any.
    • region string optional
      The AWS region.
    • userArn string required
      The ARN for the IAM user

    State

    • current object required
      The AWS credentials for the IAM user.
    • accessKeyId string required
      The AWS access key ID.
    • createdAt string optional
      When the access key was created, in RFC3339 format.
    • secretAccessKey string required
      The AWS secret access key.
    • previous object optional
      The AWS credentials for the IAM user.
    • accessKeyId string required
      The AWS access key ID.
    • createdAt string optional
      When the access key was created, in RFC3339 format.
    • secretAccessKey string required
      The AWS secret access key.

    Outputs

    • current object required
      The AWS credentials for the IAM user.
    • accessKeyId string required
      The AWS access key ID.
    • createdAt string optional
      When the access key was created, in RFC3339 format.
    • secretAccessKey string required
      The AWS secret access key.
    • previous object optional
      The AWS credentials for the IAM user.
    • accessKeyId string required
      The AWS access key ID.
    • createdAt string optional
      When the access key was created, in RFC3339 format.
    • secretAccessKey string required
      The AWS secret access key.

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI
    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI

    Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:

    {
      "aws": {
        "login": {
          "accessKeyId": "ASIA....",
          "secretAccessKey": "mWdm....",
          "sessionToken": "Fwo...."
        }
      },
      "iam": {
       "current": {
          "accessKeyId": "AKIA...",
          "createdAt": "2025-01-01T12:00:00Z",
          "secretAccessKey": "[secret]"
        },
        "previous": {
          "accessKeyId": "AKIA...",
          "createdAt": "2025-01-01T13:00:00Z",
          "secretAccessKey": "[secret]"
        }
      }
    }
    

    Permissions

    The minimum permissions required for the rotation role are:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "iam:ListAccessKeys",
            "iam:CreateAccessKey",
            "iam:DeleteAccessKey",
            "iam:GetUser",
            "iam:TagUser"
          ],
          "Resource": "arn:aws:iam::<account id>:user/<username>"
        }
      ]
    }
    

    Troubleshooting

    SymptomLikely causeResolution
    Rotation fails with a permissions errorThe login identity may lack the IAM permissions required to manage the user’s access keys.Grant the rotation role the minimum permissions for the target userArn, then rotate again.
    Rotation fails when creating a new access keyThe IAM user may already have the maximum number of access keys AWS allows, none managed by ESC.Delete an unused access key on the IAM user so the rotator can create a new one, or seed the existing keys via the state input.
    OIDC login fails when opening the environmentThe trust policy or audience on the rotation role may be misconfigured.Verify the OIDC trust relationship per Configuring OIDC for AWS.