AWS v7.8.0, Oct 7 25

AWS v7.8.0 published on Tuesday, Oct 7, 2025 by Pulumi

aws.iam.ServiceSpecificCredential

AWS v7.8.0 published on Tuesday, Oct 7, 2025 by Pulumi

pulumi/pulumi-aws

Example Usage

Basic Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.User("example", {name: "example"});
const exampleServiceSpecificCredential = new aws.iam.ServiceSpecificCredential("example", {
    serviceName: "codecommit.amazonaws.com",
    userName: example.name,
});

import pulumi
import pulumi_aws as aws

example = aws.iam.User("example", name="example")
example_service_specific_credential = aws.iam.ServiceSpecificCredential("example",
    service_name="codecommit.amazonaws.com",
    user_name=example.name)

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := iam.NewUser(ctx, "example", &iam.UserArgs{
			Name: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewServiceSpecificCredential(ctx, "example", &iam.ServiceSpecificCredentialArgs{
			ServiceName: pulumi.String("codecommit.amazonaws.com"),
			UserName:    example.Name,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Iam.User("example", new()
    {
        Name = "example",
    });

    var exampleServiceSpecificCredential = new Aws.Iam.ServiceSpecificCredential("example", new()
    {
        ServiceName = "codecommit.amazonaws.com",
        UserName = example.Name,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.iam.ServiceSpecificCredential;
import com.pulumi.aws.iam.ServiceSpecificCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new User("example", UserArgs.builder()
            .name("example")
            .build());

        var exampleServiceSpecificCredential = new ServiceSpecificCredential("exampleServiceSpecificCredential", ServiceSpecificCredentialArgs.builder()
            .serviceName("codecommit.amazonaws.com")
            .userName(example.name())
            .build());

    }
}

resources:
  example:
    type: aws:iam:User
    properties:
      name: example
  exampleServiceSpecificCredential:
    type: aws:iam:ServiceSpecificCredential
    name: example
    properties:
      serviceName: codecommit.amazonaws.com
      userName: ${example.name}

Bedrock API Key with Expiration

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.iam.User("example", {name: "example"});
const bedrock = new aws.iam.ServiceSpecificCredential("bedrock", {
    serviceName: "bedrock.amazonaws.com",
    userName: example.name,
    credentialAgeDays: 30,
});

import pulumi
import pulumi_aws as aws

example = aws.iam.User("example", name="example")
bedrock = aws.iam.ServiceSpecificCredential("bedrock",
    service_name="bedrock.amazonaws.com",
    user_name=example.name,
    credential_age_days=30)

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := iam.NewUser(ctx, "example", &iam.UserArgs{
			Name: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewServiceSpecificCredential(ctx, "bedrock", &iam.ServiceSpecificCredentialArgs{
			ServiceName:       pulumi.String("bedrock.amazonaws.com"),
			UserName:          example.Name,
			CredentialAgeDays: pulumi.Int(30),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Iam.User("example", new()
    {
        Name = "example",
    });

    var bedrock = new Aws.Iam.ServiceSpecificCredential("bedrock", new()
    {
        ServiceName = "bedrock.amazonaws.com",
        UserName = example.Name,
        CredentialAgeDays = 30,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.iam.ServiceSpecificCredential;
import com.pulumi.aws.iam.ServiceSpecificCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new User("example", UserArgs.builder()
            .name("example")
            .build());

        var bedrock = new ServiceSpecificCredential("bedrock", ServiceSpecificCredentialArgs.builder()
            .serviceName("bedrock.amazonaws.com")
            .userName(example.name())
            .credentialAgeDays(30)
            .build());

    }
}

resources:
  example:
    type: aws:iam:User
    properties:
      name: example
  bedrock:
    type: aws:iam:ServiceSpecificCredential
    properties:
      serviceName: bedrock.amazonaws.com
      userName: ${example.name}
      credentialAgeDays: 30 # API key expires after 30 days

Create ServiceSpecificCredential Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ServiceSpecificCredential(name: string, args: ServiceSpecificCredentialArgs, opts?: CustomResourceOptions);

@overload
def ServiceSpecificCredential(resource_name: str,
                              args: ServiceSpecificCredentialArgs,
                              opts: Optional[ResourceOptions] = None)

@overload
def ServiceSpecificCredential(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              service_name: Optional[str] = None,
                              user_name: Optional[str] = None,
                              credential_age_days: Optional[int] = None,
                              status: Optional[str] = None)

func NewServiceSpecificCredential(ctx *Context, name string, args ServiceSpecificCredentialArgs, opts ...ResourceOption) (*ServiceSpecificCredential, error)

public ServiceSpecificCredential(string name, ServiceSpecificCredentialArgs args, CustomResourceOptions? opts = null)

public ServiceSpecificCredential(String name, ServiceSpecificCredentialArgs args)
public ServiceSpecificCredential(String name, ServiceSpecificCredentialArgs args, CustomResourceOptions options)

type: aws:iam:ServiceSpecificCredential
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ServiceSpecificCredentialArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ServiceSpecificCredentialArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ServiceSpecificCredentialArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ServiceSpecificCredentialArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ServiceSpecificCredentialArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var serviceSpecificCredentialResource = new Aws.Iam.ServiceSpecificCredential("serviceSpecificCredentialResource", new()
{
    ServiceName = "string",
    UserName = "string",
    CredentialAgeDays = 0,
    Status = "string",
});

example, err := iam.NewServiceSpecificCredential(ctx, "serviceSpecificCredentialResource", &iam.ServiceSpecificCredentialArgs{
	ServiceName:       pulumi.String("string"),
	UserName:          pulumi.String("string"),
	CredentialAgeDays: pulumi.Int(0),
	Status:            pulumi.String("string"),
})

var serviceSpecificCredentialResource = new ServiceSpecificCredential("serviceSpecificCredentialResource", ServiceSpecificCredentialArgs.builder()
    .serviceName("string")
    .userName("string")
    .credentialAgeDays(0)
    .status("string")
    .build());

service_specific_credential_resource = aws.iam.ServiceSpecificCredential("serviceSpecificCredentialResource",
    service_name="string",
    user_name="string",
    credential_age_days=0,
    status="string")

const serviceSpecificCredentialResource = new aws.iam.ServiceSpecificCredential("serviceSpecificCredentialResource", {
    serviceName: "string",
    userName: "string",
    credentialAgeDays: 0,
    status: "string",
});

type: aws:iam:ServiceSpecificCredential
properties:
    credentialAgeDays: 0
    serviceName: string
    status: string
    userName: string

ServiceSpecificCredential Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ServiceSpecificCredential resource accepts the following input properties:

ServiceName string: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
UserName string: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.
CredentialAgeDays int: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
Status string: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.

ServiceName string: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
UserName string: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.
CredentialAgeDays int: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
Status string: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.

serviceName String: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
userName String: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.
credentialAgeDays Integer: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
status String: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.

serviceName string: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
userName string: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.
credentialAgeDays number: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
status string: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.

service_name str: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
user_name str: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.
credential_age_days int: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
status str: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.

serviceName String: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
userName String: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.
credentialAgeDays Number: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
status String: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.

Outputs

All input properties are implicitly available as output properties. Additionally, the ServiceSpecificCredential resource produces the following output properties:

CreateDate string: The date and time, in RFC3339 format, when the service-specific credential was created.
ExpirationDate string: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
Id string: The provider-assigned unique ID for this managed resource.
ServiceCredentialAlias string: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
ServiceCredentialSecret string: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
ServicePassword string: The generated password for the service-specific credential. This value is only available when the credential is created.
ServiceSpecificCredentialId string: The unique identifier for the service-specific credential.
ServiceUserName string: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.

CreateDate string: The date and time, in RFC3339 format, when the service-specific credential was created.
ExpirationDate string: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
Id string: The provider-assigned unique ID for this managed resource.
ServiceCredentialAlias string: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
ServiceCredentialSecret string: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
ServicePassword string: The generated password for the service-specific credential. This value is only available when the credential is created.
ServiceSpecificCredentialId string: The unique identifier for the service-specific credential.
ServiceUserName string: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.

createDate String: The date and time, in RFC3339 format, when the service-specific credential was created.
expirationDate String: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
id String: The provider-assigned unique ID for this managed resource.
serviceCredentialAlias String: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
serviceCredentialSecret String: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
servicePassword String: The generated password for the service-specific credential. This value is only available when the credential is created.
serviceSpecificCredentialId String: The unique identifier for the service-specific credential.
serviceUserName String: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.

createDate string: The date and time, in RFC3339 format, when the service-specific credential was created.
expirationDate string: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
id string: The provider-assigned unique ID for this managed resource.
serviceCredentialAlias string: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
serviceCredentialSecret string: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
servicePassword string: The generated password for the service-specific credential. This value is only available when the credential is created.
serviceSpecificCredentialId string: The unique identifier for the service-specific credential.
serviceUserName string: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.

create_date str: The date and time, in RFC3339 format, when the service-specific credential was created.
expiration_date str: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
id str: The provider-assigned unique ID for this managed resource.
service_credential_alias str: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
service_credential_secret str: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
service_password str: The generated password for the service-specific credential. This value is only available when the credential is created.
service_specific_credential_id str: The unique identifier for the service-specific credential.
service_user_name str: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.

createDate String: The date and time, in RFC3339 format, when the service-specific credential was created.
expirationDate String: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
id String: The provider-assigned unique ID for this managed resource.
serviceCredentialAlias String: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
serviceCredentialSecret String: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
servicePassword String: The generated password for the service-specific credential. This value is only available when the credential is created.
serviceSpecificCredentialId String: The unique identifier for the service-specific credential.
serviceUserName String: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.

Look up Existing ServiceSpecificCredential Resource

Get an existing ServiceSpecificCredential resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ServiceSpecificCredentialState, opts?: CustomResourceOptions): ServiceSpecificCredential

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        create_date: Optional[str] = None,
        credential_age_days: Optional[int] = None,
        expiration_date: Optional[str] = None,
        service_credential_alias: Optional[str] = None,
        service_credential_secret: Optional[str] = None,
        service_name: Optional[str] = None,
        service_password: Optional[str] = None,
        service_specific_credential_id: Optional[str] = None,
        service_user_name: Optional[str] = None,
        status: Optional[str] = None,
        user_name: Optional[str] = None) -> ServiceSpecificCredential

func GetServiceSpecificCredential(ctx *Context, name string, id IDInput, state *ServiceSpecificCredentialState, opts ...ResourceOption) (*ServiceSpecificCredential, error)

public static ServiceSpecificCredential Get(string name, Input<string> id, ServiceSpecificCredentialState? state, CustomResourceOptions? opts = null)

public static ServiceSpecificCredential get(String name, Output<String> id, ServiceSpecificCredentialState state, CustomResourceOptions options)

resources:  _:    type: aws:iam:ServiceSpecificCredential    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CreateDate string: The date and time, in RFC3339 format, when the service-specific credential was created.
CredentialAgeDays int: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
ExpirationDate string: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
ServiceCredentialAlias string: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
ServiceCredentialSecret string: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
ServiceName string: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
ServicePassword string: The generated password for the service-specific credential. This value is only available when the credential is created.
ServiceSpecificCredentialId string: The unique identifier for the service-specific credential.
ServiceUserName string: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.
Status string: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.
UserName string: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.

CreateDate string: The date and time, in RFC3339 format, when the service-specific credential was created.
CredentialAgeDays int: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
ExpirationDate string: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
ServiceCredentialAlias string: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
ServiceCredentialSecret string: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
ServiceName string: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
ServicePassword string: The generated password for the service-specific credential. This value is only available when the credential is created.
ServiceSpecificCredentialId string: The unique identifier for the service-specific credential.
ServiceUserName string: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.
Status string: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.
UserName string: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.

createDate String: The date and time, in RFC3339 format, when the service-specific credential was created.
credentialAgeDays Integer: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
expirationDate String: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
serviceCredentialAlias String: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
serviceCredentialSecret String: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
serviceName String: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
servicePassword String: The generated password for the service-specific credential. This value is only available when the credential is created.
serviceSpecificCredentialId String: The unique identifier for the service-specific credential.
serviceUserName String: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.
status String: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.
userName String: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.

createDate string: The date and time, in RFC3339 format, when the service-specific credential was created.
credentialAgeDays number: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
expirationDate string: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
serviceCredentialAlias string: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
serviceCredentialSecret string: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
serviceName string: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
servicePassword string: The generated password for the service-specific credential. This value is only available when the credential is created.
serviceSpecificCredentialId string: The unique identifier for the service-specific credential.
serviceUserName string: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.
status string: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.
userName string: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.

create_date str: The date and time, in RFC3339 format, when the service-specific credential was created.
credential_age_days int: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
expiration_date str: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
service_credential_alias str: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
service_credential_secret str: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
service_name str: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
service_password str: The generated password for the service-specific credential. This value is only available when the credential is created.
service_specific_credential_id str: The unique identifier for the service-specific credential.
service_user_name str: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.
status str: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.
user_name str: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.

createDate String: The date and time, in RFC3339 format, when the service-specific credential was created.
credentialAgeDays Number: The number of days until the service specific credential expires. This field is only valid for Bedrock API keys and must be between 1 and 36600 (approximately 100 years). When not specified, the credential will not expire.
expirationDate String: The date and time, in RFC3339 format, when the service specific credential expires. This field is only present for Bedrock API keys that were created with an expiration period.
serviceCredentialAlias String: For Bedrock API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.
serviceCredentialSecret String: For Bedrock API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is only available when the credential is created.
serviceName String: The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials. Supported services are codecommit.amazonaws.com, bedrock.amazonaws.com, and cassandra.amazonaws.com.
servicePassword String: The generated password for the service-specific credential. This value is only available when the credential is created.
serviceSpecificCredentialId String: The unique identifier for the service-specific credential.
serviceUserName String: The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.
status String: The status to be assigned to the service-specific credential. Valid values are Active, Inactive, and Expired. Default value is Active. Note that Expired is only used for read operations and cannot be set manually.
userName String: The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.

Import

Using pulumi import, import IAM Service Specific Credentials using the service_name:user_name:service_specific_credential_id. For example:

$ pulumi import aws:iam/serviceSpecificCredential:ServiceSpecificCredential default `codecommit.amazonaws.com:example:some-id`

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: AWS Classic pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

AWS v7.8.0 published on Tuesday, Oct 7, 2025 by Pulumi

pulumi/pulumi-aws

aws.iam.ServiceSpecificCredential

On this page

On this page

Example Usage

Basic Usage

Bedrock API Key with Expiration

Create ServiceSpecificCredential Resource

Constructor syntax

Parameters

Constructor example

ServiceSpecificCredential Resource Properties

Inputs

Outputs

Look up Existing ServiceSpecificCredential Resource

Import

Package Details

On this page

On this page