AWS Classic

v5.16.0 published on Saturday, Sep 24, 2022 by Pulumi

AccessKey

Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var lbUser = new Aws.Iam.User("lbUser", new()
    {
        Path = "/system/",
    });

    var lbAccessKey = new Aws.Iam.AccessKey("lbAccessKey", new()
    {
        User = lbUser.Name,
        PgpKey = "keybase:some_person_that_exists",
    });

    var lbRo = new Aws.Iam.UserPolicy("lbRo", new()
    {
        User = lbUser.Name,
        Policy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": [
        ""ec2:Describe*""
      ],
      ""Effect"": ""Allow"",
      ""Resource"": ""*""
    }
  ]
}
",
    });

    return new Dictionary<string, object?>
    {
        ["secret"] = lbAccessKey.EncryptedSecret,
    };
});
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		lbUser, err := iam.NewUser(ctx, "lbUser", &iam.UserArgs{
			Path: pulumi.String("/system/"),
		})
		if err != nil {
			return err
		}
		lbAccessKey, err := iam.NewAccessKey(ctx, "lbAccessKey", &iam.AccessKeyArgs{
			User:   lbUser.Name,
			PgpKey: pulumi.String("keybase:some_person_that_exists"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewUserPolicy(ctx, "lbRo", &iam.UserPolicyArgs{
			User: lbUser.Name,
			Policy: pulumi.Any(fmt.Sprintf(`{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`)),
		})
		if err != nil {
			return err
		}
		ctx.Export("secret", lbAccessKey.EncryptedSecret)
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.iam.AccessKey;
import com.pulumi.aws.iam.AccessKeyArgs;
import com.pulumi.aws.iam.UserPolicy;
import com.pulumi.aws.iam.UserPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var lbUser = new User("lbUser", UserArgs.builder()        
            .path("/system/")
            .build());

        var lbAccessKey = new AccessKey("lbAccessKey", AccessKeyArgs.builder()        
            .user(lbUser.name())
            .pgpKey("keybase:some_person_that_exists")
            .build());

        var lbRo = new UserPolicy("lbRo", UserPolicyArgs.builder()        
            .user(lbUser.name())
            .policy("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
            """)
            .build());

        ctx.export("secret", lbAccessKey.encryptedSecret());
    }
}
import pulumi
import pulumi_aws as aws

lb_user = aws.iam.User("lbUser", path="/system/")
lb_access_key = aws.iam.AccessKey("lbAccessKey",
    user=lb_user.name,
    pgp_key="keybase:some_person_that_exists")
lb_ro = aws.iam.UserPolicy("lbRo",
    user=lb_user.name,
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
""")
pulumi.export("secret", lb_access_key.encrypted_secret)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const lbUser = new aws.iam.User("lbUser", {path: "/system/"});
const lbAccessKey = new aws.iam.AccessKey("lbAccessKey", {
    user: lbUser.name,
    pgpKey: "keybase:some_person_that_exists",
});
const lbRo = new aws.iam.UserPolicy("lbRo", {
    user: lbUser.name,
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
});
export const secret = lbAccessKey.encryptedSecret;
resources:
  lbAccessKey:
    type: aws:iam:AccessKey
    properties:
      user: ${lbUser.name}
      pgpKey: keybase:some_person_that_exists
  lbUser:
    type: aws:iam:User
    properties:
      path: /system/
  lbRo:
    type: aws:iam:UserPolicy
    properties:
      user: ${lbUser.name}
      policy: |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "ec2:Describe*"
              ],
              "Effect": "Allow",
              "Resource": "*"
            }
          ]
        }        
outputs:
  secret: ${lbAccessKey.encryptedSecret}

Create a AccessKey Resource

new AccessKey(name: string, args: AccessKeyArgs, opts?: CustomResourceOptions);
@overload
def AccessKey(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              pgp_key: Optional[str] = None,
              status: Optional[str] = None,
              user: Optional[str] = None)
@overload
def AccessKey(resource_name: str,
              args: AccessKeyArgs,
              opts: Optional[ResourceOptions] = None)
func NewAccessKey(ctx *Context, name string, args AccessKeyArgs, opts ...ResourceOption) (*AccessKey, error)
public AccessKey(string name, AccessKeyArgs args, CustomResourceOptions? opts = null)
public AccessKey(String name, AccessKeyArgs args)
public AccessKey(String name, AccessKeyArgs args, CustomResourceOptions options)
type: aws:iam:AccessKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AccessKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AccessKeyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AccessKeyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AccessKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AccessKeyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AccessKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AccessKey resource accepts the following input properties:

User string

IAM user to associate with this access key.

PgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

Status string

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

User string

IAM user to associate with this access key.

PgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

Status string

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user String

IAM user to associate with this access key.

pgpKey String

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

status String

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user string

IAM user to associate with this access key.

pgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

status string

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user str

IAM user to associate with this access key.

pgp_key str

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

status str

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user String

IAM user to associate with this access key.

pgpKey String

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

status String

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessKey resource produces the following output properties:

CreateDate string

Date and time in RFC3339 format that the access key was created.

EncryptedSecret string
EncryptedSesSmtpPasswordV4 string
Id string

The provider-assigned unique ID for this managed resource.

KeyFingerprint string

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

Secret string

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

SesSmtpPasswordV4 string

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

CreateDate string

Date and time in RFC3339 format that the access key was created.

EncryptedSecret string
EncryptedSesSmtpPasswordV4 string
Id string

The provider-assigned unique ID for this managed resource.

KeyFingerprint string

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

Secret string

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

SesSmtpPasswordV4 string

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

createDate String

Date and time in RFC3339 format that the access key was created.

encryptedSecret String
encryptedSesSmtpPasswordV4 String
id String

The provider-assigned unique ID for this managed resource.

keyFingerprint String

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

secret String

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

sesSmtpPasswordV4 String

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

createDate string

Date and time in RFC3339 format that the access key was created.

encryptedSecret string
encryptedSesSmtpPasswordV4 string
id string

The provider-assigned unique ID for this managed resource.

keyFingerprint string

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

secret string

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

sesSmtpPasswordV4 string

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

create_date str

Date and time in RFC3339 format that the access key was created.

encrypted_secret str
encrypted_ses_smtp_password_v4 str
id str

The provider-assigned unique ID for this managed resource.

key_fingerprint str

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

secret str

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

ses_smtp_password_v4 str

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

createDate String

Date and time in RFC3339 format that the access key was created.

encryptedSecret String
encryptedSesSmtpPasswordV4 String
id String

The provider-assigned unique ID for this managed resource.

keyFingerprint String

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

secret String

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

sesSmtpPasswordV4 String

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

Look up an Existing AccessKey Resource

Get an existing AccessKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessKeyState, opts?: CustomResourceOptions): AccessKey
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        create_date: Optional[str] = None,
        encrypted_secret: Optional[str] = None,
        encrypted_ses_smtp_password_v4: Optional[str] = None,
        key_fingerprint: Optional[str] = None,
        pgp_key: Optional[str] = None,
        secret: Optional[str] = None,
        ses_smtp_password_v4: Optional[str] = None,
        status: Optional[str] = None,
        user: Optional[str] = None) -> AccessKey
func GetAccessKey(ctx *Context, name string, id IDInput, state *AccessKeyState, opts ...ResourceOption) (*AccessKey, error)
public static AccessKey Get(string name, Input<string> id, AccessKeyState? state, CustomResourceOptions? opts = null)
public static AccessKey get(String name, Output<String> id, AccessKeyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
CreateDate string

Date and time in RFC3339 format that the access key was created.

EncryptedSecret string
EncryptedSesSmtpPasswordV4 string
KeyFingerprint string

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

PgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

Secret string

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

SesSmtpPasswordV4 string

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

Status string

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

User string

IAM user to associate with this access key.

CreateDate string

Date and time in RFC3339 format that the access key was created.

EncryptedSecret string
EncryptedSesSmtpPasswordV4 string
KeyFingerprint string

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

PgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

Secret string

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

SesSmtpPasswordV4 string

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

Status string

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

User string

IAM user to associate with this access key.

createDate String

Date and time in RFC3339 format that the access key was created.

encryptedSecret String
encryptedSesSmtpPasswordV4 String
keyFingerprint String

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

pgpKey String

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

secret String

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

sesSmtpPasswordV4 String

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

status String

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user String

IAM user to associate with this access key.

createDate string

Date and time in RFC3339 format that the access key was created.

encryptedSecret string
encryptedSesSmtpPasswordV4 string
keyFingerprint string

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

pgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

secret string

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

sesSmtpPasswordV4 string

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

status string

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user string

IAM user to associate with this access key.

create_date str

Date and time in RFC3339 format that the access key was created.

encrypted_secret str
encrypted_ses_smtp_password_v4 str
key_fingerprint str

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

pgp_key str

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

secret str

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

ses_smtp_password_v4 str

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

status str

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user str

IAM user to associate with this access key.

createDate String

Date and time in RFC3339 format that the access key was created.

encryptedSecret String
encryptedSesSmtpPasswordV4 String
keyFingerprint String

Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.

pgpKey String

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

secret String

Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

sesSmtpPasswordV4 String

Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions.

status String

Access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user String

IAM user to associate with this access key.

Import

IAM Access Keys can be imported using the identifier, e.g.,

 $ pulumi import aws:iam/accessKey:AccessKey example AKIA1234567890

Resource attributes such as encrypted_secret, key_fingerprint, pgp_key, secret, ses_smtp_password_v4, and encrypted_ses_smtp_password_v4 are not available for imported resources as this information cannot be read from the IAM API.

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes

This Pulumi package is based on the aws Terraform Provider.