This topic provides answers to some frequently asked questions about AccessKey pairs, including what is an AccessKey pair, how to view an AccessKey pair, how to check whether an AccessKey pair is in use, and how to deal with leaks of an AccessKey pair.
What is an AccessKey pair?
An AccessKey pair is a permanent access credential that is provided to an Alibaba Cloud user. The user can use the AccessKey pair to access Alibaba Cloud by using a development tool such as the API, CLI, SDK, Cloud Shell, and Terraform. The AccessKey pair cannot be used for console logons.
An AccessKey pair consists of an AccessKey ID and an AccessKey secret, which need to be used together. Keep an AccessKey pair confidential.
The AccessKey ID is used to identify a user.
The AccessKey secret is used to verify the identity of the user. You must keep your AccessKey secret strictly confidential.
The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.
What information can I view after I create an AccessKey pair?
After you create an AccessKey pair, you can view basic information such as the AccessKey ID, the status of the AccessKey pair, the time when the AccessKey pair was last used, and the time when the AccessKey pair was created. For more information, see View the information about AccessKey pairs of a RAM user.
Can I view the AccessKey ID after I create an AccessKey pair?
Yes, you can view the AccessKey ID after you create an AccessKey pair.
Can I view the AccessKey secret after I create an AccessKey pair?
If you use a RAM user, you cannot view the AccessKey secret after you create an AccessKey pair. The AccessKey secret is displayed only when you create the AccessKey pair and is unavailable for subsequent queries.
If you use an Alibaba Cloud account, you cannot view the AccessKey secret after you create an AccessKey pair since November 20, 2023, If you use an Alibaba Cloud account and you do not sign the informed consent form for AccessKey pairs that were created before July 5, 2023, you can save and download the AccessKey secret of your AccessKey pair for the last time.
How do I check whether an AccessKey pair is in use?
You can view the time when an AccessKey pair was last used in the Alibaba Cloud Management Console or by calling an operation. This helps you check whether the AccessKey pair is in use.
If you access the AccessKey Pair page by using an Alibaba Cloud account, you can view the time when the AccessKey pair of the Alibaba Cloud account was last used. If you access the AccessKey Pair page by using a RAM user, you can view the time when the AccessKey pair of the RAM user was last used.
If you log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights, you can view the time when the AccessKey pairs of all RAM users were last used. For more information, see View the information about AccessKey pairs of a RAM user.
You can call this operation to view the time when the AccessKey pair of an Alibaba Cloud account or RAM user was last used.
Can I change the AccessKey ID after I create an AccessKey pair?
No, you cannot change the AccessKey ID after you create an AccessKey pair. You can only disable, enable, or delete an AccessKey pair.
Can I restore an AccessKey pair after I delete it?
No, you cannot restore an AccessKey pair that is deleted.
Proceed with caution when you delete an AccessKey pair. If you delete an AccessKey pair that is in use, system failures may occur on your application.
What do I do if an AccessKey pair is leaked?
The AccessKey pair of an Alibaba Cloud account has the same full management permissions as the Alibaba Cloud account. You cannot impose limits such as limits on source IP addresses and time periods of requests on the AccessKey pair. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. Therefore, we recommend that you create AccessKey pairs for RAM users, instead of for your Alibaba Cloud account.
If your AccessKey pair is leaked, you can troubleshoot the issue by performing one of the following operations:
AccessKey pair of an Alibaba Cloud account
Replace the AccessKey pair of an Alibaba Cloud account with the AccessKey pair of a RAM user to whom the required permissions are granted.
Create a RAM user in the RAM console.
For more information, see Create a RAM user.
Grant the RAM user the required access permissions to your program or application.
We recommend that you grant only the required permissions to the RAM user based on the principle of least privilege. You can create custom policies to perform fine-grained authorization. If you are not familiar with custom policies, you can use the system policies defined by Alibaba Cloud to perform coarse-grained authorization. Then, you can further revoke some permissions based on your business requirements. For more information, see Create custom policies and Grant permissions to a RAM user.
Create an AccessKey pair for the RAM user.
For more information, see Create an AccessKey pair.
In the test environment of the program or application, use the AccessKey pair of the RAM user to replace the AccessKey pair of the Alibaba Cloud account. Then, check whether the program or application runs as expected.
In the production environment of the program or application, use the AccessKey pair of the RAM user to replace the AccessKey pair of the Alibaba Cloud account and check whether the program or application runs as expected.
Disable the AccessKey pair of the Alibaba Cloud account.
If no issues that are related to the AccessKey pair of the Alibaba Cloud account occur within 90 days after you disable the AccessKey pair, you can delete the AccessKey pair.
AccessKey pair of a RAM user
Create another AccessKey pair to replace the previous AccessKey pair. For more information, see Rotate AccessKey pairs of RAM users.