This topic provides answers to frequently asked questions about AccessKey pairs, including what an AccessKey pair is, how to view an AccessKey pair, how to check whether an AccessKey pair is in use, and how to handle AccessKey pair leaks.
What is an AccessKey pair?
An AccessKey pair is a permanent access credential that is provided by Alibaba Cloud to a user. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
The AccessKey ID is used to identify a user.
The AccessKey secret is used to verify the identity of the user.
The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.
You cannot use the AccessKey pair for console logons. When you use a development tool such as an API, CLI, SDK, or Terraform to access Alibaba Cloud, the initiated requests include the AccessKey ID and the signature that is generated to encrypt the requests by using the AccessKey secret. In this case, the AccessKey pair is used for identity verification and request validity verification.
What types of AccessKey pairs does Alibaba Cloud provide?
Alibaba Cloud account AccessKey pair
This type of AccessKey pair is created by an Alibaba Cloud account. By default, this type of AccessKey pair has all permissions of the current account and can be used to perform all operations. If this type of AccessKey pair is leaked, the risk is extremely high. We strongly recommend that you do not create or use the AccessKey pair of your Alibaba Cloud account.
RAM user AccessKey pair
This type of AccessKey pair is a program access credential that belongs to a RAM user. You must create a RAM user before you can create an AccessKey pair for the RAM user. The AccessKey pair of a RAM user inherits the permissions of the RAM user. You can implement fine-grained permission management. We recommend that you assign an independent RAM user and AccessKey pair to each independent business application to avoid sharing and expanding the risk of leakage.
What information can I view after I create an AccessKey pair?
After you create an AccessKey pair, you can view the basic information about the AccessKey pair, such as the AccessKey ID, status, last used cloud service, last used time, and creation time. For more information about how to view the information about the AccessKey pair of a RAM user, see View the AccessKey pair information of a RAM user.
Can I view the AccessKey ID after I create an AccessKey pair?
Yes, you can.
Can I view the AccessKey secret after I create an AccessKey pair?
No, you cannot. The AccessKey secret for an Alibaba Cloud account or a Resource Access Management (RAM) user is displayed only when you create the AccessKey pair. You cannot query the AccessKey secret in subsequent operations. This helps reduce the risks of AccessKey pair leaks. Record the AccessKey secret and keep it confidential.
How do I check whether an AccessKey pair is in use?
You can view the time when an AccessKey pair was last used in the Alibaba Cloud Management Console or by calling an operation. This helps you check whether the AccessKey pair is in use. Details:
If you access the AccessKey Pair page using an Alibaba Cloud account, you can view the time when the AccessKey pair of the Alibaba Cloud account was last used. If you access the AccessKey Pair page using a RAM user, you can view the time when the AccessKey pair of the RAM user was last used.
If you log on to the RAM console using an Alibaba Cloud account or a RAM user that has administrative rights, you can view the time when the AccessKey pairs of all RAM users were last used. For more information, see View the AccessKey pair information of a RAM user.
GetAccessKeyLastUsed - Query the time when a specified AccessKey pair was last used
You can call this operation to view the time when the AccessKey pair of an Alibaba Cloud account or RAM user was last used.
Can I change the AccessKey ID after I create an AccessKey pair?
No, you cannot change the AccessKey ID after you create an AccessKey pair. You can only disable, enable, or delete an AccessKey pair.
Can I restore an AccessKey pair after I delete it?
RAM provides a recycle bin feature. When you delete the AccessKey pair of a RAM user, the AccessKey pair is moved to the recycle bin. You can restore the AccessKey pairs in the recycle bin.
However, AccessKey pairs in the recycle bin are retained for only 30 days. After 30 days, the system automatically clears these AccessKey pairs, which means that the AccessKey pairs are permanently deleted. You can also manually delete AccessKey pairs from the recycle bin. You cannot restore permanently deleted AccessKey pairs.
For more information, see Delete the AccessKey pair of a RAM user.
Proceed with caution when you delete an AccessKey pair. If you delete an AccessKey pair that is in use, system failures may occur on your application.
What do I do if an AccessKey pair is leaked?
For more information, see Solutions for AccessKey pair leaks.
How do I query the account to which an AccessKey pair belongs?
An AccessKey pair is a program access credential and sensitive information. Alibaba Cloud cannot provide you with the ability to query the account to which any AccessKey pair belongs.
If you have this requirement, you can try the following methods to query the account to which an AccessKey pair belongs within your permissions:
You can log on to the RAM console using your Alibaba Cloud account. On the Users page, enter the AccessKey ID in the search box to query the account. If you have multiple Alibaba Cloud accounts, you must query each account.
If you have activated Resource Directory and created a multi-account trail in ActionTrail to deliver the operation events of all members in the resource directory to Simple Log Service or Object Storage Service (OSS), you can try to query the account to which an AccessKey pair belongs in the audit logs.
What do I do when the "There is a risk of leakage of this AccessKey." error occurs?
This error indicates that the AccessKey pair used for identity verification is under restrictive protection. For more information about the solution, see Description of restrictive protection for AccessKey pairs.
What do I do if my API call is denied by a network access control policy and I want the call to be allowed?
After an AccessKey pair-based policy for network access control takes effect, calls from the source IP addresses that are not specified in the policy are denied and no call audit record is generated. If you want to allow calls from an unspecified source IP address, you can perform the following operations:
Check whether an AccessKey pair-level policy for network access control is configured for the related AccessKey pair.
If yes, add the source IP address to the AccessKey pair-level policy for network access control.
If no, perform the subsequent operation.
Add the source IP address to the account-level AccessKey pair-based policy for network access control.
If calls from the source IP address are still denied, make sure that the source IP address is accurate.