AWS v6.83.0, Jun 16 25

AWS v6.83.0 published on Monday, Jun 16, 2025 by Pulumi

aws.iam.AccessKey

Explore with Pulumi AI

AWS v6.83.0 published on Monday, Jun 16, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const lbUser = new aws.iam.User("lb", {
    name: "loadbalancer",
    path: "/system/",
});
const lb = new aws.iam.AccessKey("lb", {
    user: lbUser.name,
    pgpKey: "keybase:some_person_that_exists",
});
const lbRo = aws.iam.getPolicyDocument({
    statements: [{
        effect: "Allow",
        actions: ["ec2:Describe*"],
        resources: ["*"],
    }],
});
const lbRoUserPolicy = new aws.iam.UserPolicy("lb_ro", {
    name: "test",
    user: lbUser.name,
    policy: lbRo.then(lbRo => lbRo.json),
});
export const secret = lb.encryptedSecret;

import pulumi
import pulumi_aws as aws

lb_user = aws.iam.User("lb",
    name="loadbalancer",
    path="/system/")
lb = aws.iam.AccessKey("lb",
    user=lb_user.name,
    pgp_key="keybase:some_person_that_exists")
lb_ro = aws.iam.get_policy_document(statements=[{
    "effect": "Allow",
    "actions": ["ec2:Describe*"],
    "resources": ["*"],
}])
lb_ro_user_policy = aws.iam.UserPolicy("lb_ro",
    name="test",
    user=lb_user.name,
    policy=lb_ro.json)
pulumi.export("secret", lb.encrypted_secret)

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		lbUser, err := iam.NewUser(ctx, "lb", &iam.UserArgs{
			Name: pulumi.String("loadbalancer"),
			Path: pulumi.String("/system/"),
		})
		if err != nil {
			return err
		}
		lb, err := iam.NewAccessKey(ctx, "lb", &iam.AccessKeyArgs{
			User:   lbUser.Name,
			PgpKey: pulumi.String("keybase:some_person_that_exists"),
		})
		if err != nil {
			return err
		}
		lbRo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Effect: pulumi.StringRef("Allow"),
					Actions: []string{
						"ec2:Describe*",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewUserPolicy(ctx, "lb_ro", &iam.UserPolicyArgs{
			Name:   pulumi.String("test"),
			User:   lbUser.Name,
			Policy: pulumi.String(lbRo.Json),
		})
		if err != nil {
			return err
		}
		ctx.Export("secret", lb.EncryptedSecret)
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var lbUser = new Aws.Iam.User("lb", new()
    {
        Name = "loadbalancer",
        Path = "/system/",
    });

    var lb = new Aws.Iam.AccessKey("lb", new()
    {
        User = lbUser.Name,
        PgpKey = "keybase:some_person_that_exists",
    });

    var lbRo = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Effect = "Allow",
                Actions = new[]
                {
                    "ec2:Describe*",
                },
                Resources = new[]
                {
                    "*",
                },
            },
        },
    });

    var lbRoUserPolicy = new Aws.Iam.UserPolicy("lb_ro", new()
    {
        Name = "test",
        User = lbUser.Name,
        Policy = lbRo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });

    return new Dictionary<string, object?>
    {
        ["secret"] = lb.EncryptedSecret,
    };
});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.iam.AccessKey;
import com.pulumi.aws.iam.AccessKeyArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.UserPolicy;
import com.pulumi.aws.iam.UserPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var lbUser = new User("lbUser", UserArgs.builder()
            .name("loadbalancer")
            .path("/system/")
            .build());

        var lb = new AccessKey("lb", AccessKeyArgs.builder()
            .user(lbUser.name())
            .pgpKey("keybase:some_person_that_exists")
            .build());

        final var lbRo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .actions("ec2:Describe*")
                .resources("*")
                .build())
            .build());

        var lbRoUserPolicy = new UserPolicy("lbRoUserPolicy", UserPolicyArgs.builder()
            .name("test")
            .user(lbUser.name())
            .policy(lbRo.json())
            .build());

        ctx.export("secret", lb.encryptedSecret());
    }
}

resources:
  lb:
    type: aws:iam:AccessKey
    properties:
      user: ${lbUser.name}
      pgpKey: keybase:some_person_that_exists
  lbUser:
    type: aws:iam:User
    name: lb
    properties:
      name: loadbalancer
      path: /system/
  lbRoUserPolicy:
    type: aws:iam:UserPolicy
    name: lb_ro
    properties:
      name: test
      user: ${lbUser.name}
      policy: ${lbRo.json}
variables:
  lbRo:
    fn::invoke:
      function: aws:iam:getPolicyDocument
      arguments:
        statements:
          - effect: Allow
            actions:
              - ec2:Describe*
            resources:
              - '*'
outputs:
  secret: ${lb.encryptedSecret}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const test = new aws.iam.User("test", {
    name: "test",
    path: "/test/",
});
const testAccessKey = new aws.iam.AccessKey("test", {user: test.name});
export const awsIamSmtpPasswordV4 = testAccessKey.sesSmtpPasswordV4;

import pulumi
import pulumi_aws as aws

test = aws.iam.User("test",
    name="test",
    path="/test/")
test_access_key = aws.iam.AccessKey("test", user=test.name)
pulumi.export("awsIamSmtpPasswordV4", test_access_key.ses_smtp_password_v4)

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		test, err := iam.NewUser(ctx, "test", &iam.UserArgs{
			Name: pulumi.String("test"),
			Path: pulumi.String("/test/"),
		})
		if err != nil {
			return err
		}
		testAccessKey, err := iam.NewAccessKey(ctx, "test", &iam.AccessKeyArgs{
			User: test.Name,
		})
		if err != nil {
			return err
		}
		ctx.Export("awsIamSmtpPasswordV4", testAccessKey.SesSmtpPasswordV4)
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var test = new Aws.Iam.User("test", new()
    {
        Name = "test",
        Path = "/test/",
    });

    var testAccessKey = new Aws.Iam.AccessKey("test", new()
    {
        User = test.Name,
    });

    return new Dictionary<string, object?>
    {
        ["awsIamSmtpPasswordV4"] = testAccessKey.SesSmtpPasswordV4,
    };
});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.iam.AccessKey;
import com.pulumi.aws.iam.AccessKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new User("test", UserArgs.builder()
            .name("test")
            .path("/test/")
            .build());

        var testAccessKey = new AccessKey("testAccessKey", AccessKeyArgs.builder()
            .user(test.name())
            .build());

        ctx.export("awsIamSmtpPasswordV4", testAccessKey.sesSmtpPasswordV4());
    }
}

resources:
  test:
    type: aws:iam:User
    properties:
      name: test
      path: /test/
  testAccessKey:
    type: aws:iam:AccessKey
    name: test
    properties:
      user: ${test.name}
outputs:
  awsIamSmtpPasswordV4: ${testAccessKey.sesSmtpPasswordV4}

Create AccessKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AccessKey(name: string, args: AccessKeyArgs, opts?: CustomResourceOptions);

@overload
def AccessKey(resource_name: str,
              args: AccessKeyArgs,
              opts: Optional[ResourceOptions] = None)

@overload
def AccessKey(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              user: Optional[str] = None,
              pgp_key: Optional[str] = None,
              status: Optional[str] = None)

func NewAccessKey(ctx *Context, name string, args AccessKeyArgs, opts ...ResourceOption) (*AccessKey, error)

public AccessKey(string name, AccessKeyArgs args, CustomResourceOptions? opts = null)

public AccessKey(String name, AccessKeyArgs args)
public AccessKey(String name, AccessKeyArgs args, CustomResourceOptions options)

type: aws:iam:AccessKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var accessKeyResource = new Aws.Iam.AccessKey("accessKeyResource", new()
{
    User = "string",
    PgpKey = "string",
    Status = "string",
});

example, err := iam.NewAccessKey(ctx, "accessKeyResource", &iam.AccessKeyArgs{
	User:   pulumi.String("string"),
	PgpKey: pulumi.String("string"),
	Status: pulumi.String("string"),
})

var accessKeyResource = new AccessKey("accessKeyResource", AccessKeyArgs.builder()
    .user("string")
    .pgpKey("string")
    .status("string")
    .build());

access_key_resource = aws.iam.AccessKey("accessKeyResource",
    user="string",
    pgp_key="string",
    status="string")

const accessKeyResource = new aws.iam.AccessKey("accessKeyResource", {
    user: "string",
    pgpKey: "string",
    status: "string",
});

type: aws:iam:AccessKey
properties:
    pgpKey: string
    status: string
    user: string

AccessKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AccessKey resource accepts the following input properties:

User string: IAM user to associate with this access key.
PgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
Status string: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

User string: IAM user to associate with this access key.
PgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
Status string: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user String: IAM user to associate with this access key.
pgpKey String: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
status String: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user string: IAM user to associate with this access key.
pgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
status string: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user str: IAM user to associate with this access key.
pgp_key str: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
status str: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user String: IAM user to associate with this access key.
pgpKey String: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
status String: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessKey resource produces the following output properties:

CreateDate string: Date and time in RFC3339 format that the access key was created.
EncryptedSecret string: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
EncryptedSesSmtpPasswordV4 string: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
Id string: The provider-assigned unique ID for this managed resource.
KeyFingerprint string: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
Secret string: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
SesSmtpPasswordV4 string: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

CreateDate string: Date and time in RFC3339 format that the access key was created.
EncryptedSecret string: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
EncryptedSesSmtpPasswordV4 string: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
Id string: The provider-assigned unique ID for this managed resource.
KeyFingerprint string: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
Secret string: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
SesSmtpPasswordV4 string: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

createDate String: Date and time in RFC3339 format that the access key was created.
encryptedSecret String: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encryptedSesSmtpPasswordV4 String: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
id String: The provider-assigned unique ID for this managed resource.
keyFingerprint String: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
secret String: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
sesSmtpPasswordV4 String: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

createDate string: Date and time in RFC3339 format that the access key was created.
encryptedSecret string: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encryptedSesSmtpPasswordV4 string: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
id string: The provider-assigned unique ID for this managed resource.
keyFingerprint string: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
secret string: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
sesSmtpPasswordV4 string: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

create_date str: Date and time in RFC3339 format that the access key was created.
encrypted_secret str: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encrypted_ses_smtp_password_v4 str: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
id str: The provider-assigned unique ID for this managed resource.
key_fingerprint str: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
secret str: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
ses_smtp_password_v4 str: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

createDate String: Date and time in RFC3339 format that the access key was created.
encryptedSecret String: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encryptedSesSmtpPasswordV4 String: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
id String: The provider-assigned unique ID for this managed resource.
keyFingerprint String: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
secret String: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
sesSmtpPasswordV4 String: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

Look up Existing AccessKey Resource

Get an existing AccessKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessKeyState, opts?: CustomResourceOptions): AccessKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        create_date: Optional[str] = None,
        encrypted_secret: Optional[str] = None,
        encrypted_ses_smtp_password_v4: Optional[str] = None,
        key_fingerprint: Optional[str] = None,
        pgp_key: Optional[str] = None,
        secret: Optional[str] = None,
        ses_smtp_password_v4: Optional[str] = None,
        status: Optional[str] = None,
        user: Optional[str] = None) -> AccessKey

func GetAccessKey(ctx *Context, name string, id IDInput, state *AccessKeyState, opts ...ResourceOption) (*AccessKey, error)

public static AccessKey Get(string name, Input<string> id, AccessKeyState? state, CustomResourceOptions? opts = null)

public static AccessKey get(String name, Output<String> id, AccessKeyState state, CustomResourceOptions options)

resources:  _:    type: aws:iam:AccessKey    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CreateDate string: Date and time in RFC3339 format that the access key was created.
EncryptedSecret string: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
EncryptedSesSmtpPasswordV4 string: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
KeyFingerprint string: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
PgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
Secret string: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
SesSmtpPasswordV4 string: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.
Status string: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.
User string: IAM user to associate with this access key.

CreateDate string: Date and time in RFC3339 format that the access key was created.
EncryptedSecret string: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
EncryptedSesSmtpPasswordV4 string: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
KeyFingerprint string: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
PgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
Secret string: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
SesSmtpPasswordV4 string: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.
Status string: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.
User string: IAM user to associate with this access key.

createDate String: Date and time in RFC3339 format that the access key was created.
encryptedSecret String: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encryptedSesSmtpPasswordV4 String: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
keyFingerprint String: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
pgpKey String: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
secret String: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
sesSmtpPasswordV4 String: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.
status String: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.
user String: IAM user to associate with this access key.

createDate string: Date and time in RFC3339 format that the access key was created.
encryptedSecret string: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encryptedSesSmtpPasswordV4 string: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
keyFingerprint string: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
pgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
secret string: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
sesSmtpPasswordV4 string: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.
status string: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.
user string: IAM user to associate with this access key.

create_date str: Date and time in RFC3339 format that the access key was created.
encrypted_secret str: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encrypted_ses_smtp_password_v4 str: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
key_fingerprint str: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
pgp_key str: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
secret str: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
ses_smtp_password_v4 str: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.
status str: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.
user str: IAM user to associate with this access key.

createDate String: Date and time in RFC3339 format that the access key was created.
encryptedSecret String: Encrypted secret, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line.
encryptedSesSmtpPasswordV4 String: Encrypted SES SMTP password, base64 encoded, if pgp_key was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line.
keyFingerprint String: Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
pgpKey String: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
secret String: Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.
sesSmtpPasswordV4 String: Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.
status String: Access key status to apply. Defaults to Active. Valid values are Active and Inactive.
user String: IAM user to associate with this access key.

Import

Using pulumi import, import IAM Access Keys using the identifier. For example:

$ pulumi import aws:iam/accessKey:AccessKey example AKIA1234567890

Resource attributes such as encrypted_secret, key_fingerprint, pgp_key, secret, ses_smtp_password_v4, and encrypted_ses_smtp_password_v4 are not available for imported resources as this information cannot be read from the IAM API.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: AWS Classic pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

AWS v6.83.0 published on Monday, Jun 16, 2025 by Pulumi

pulumi/pulumi-aws

aws.iam.AccessKey

On this page

On this page

Example Usage

Create AccessKey Resource

Constructor syntax

Parameters

Constructor example

AccessKey Resource Properties

Inputs

Outputs

Look up Existing AccessKey Resource

Import

Package Details

On this page

On this page