This topic provides answers to some frequently asked questions about AccessKey pairs.

What is an AccessKey pair?

When you call API operations, you must use an AccessKey pair to complete identity verification. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

  • The AccessKey ID is used to identify a user.
  • The AccessKey secret is used to verify the identity of the user. You must keep your AccessKey secret strictly confidential.

What information can I view after I create an AccessKey pair?

After you create an AccessKey pair, you can view basic information such as the AccessKey ID, the status of the AccessKey pair, the time when the AccessKey pair was last used, and the time when the AccessKey pair was created. For more information, see View the information about AccessKey pairs of a RAM user.

Can I view the AccessKey ID after I create an AccessKey pair?

Yes, you can view the AccessKey ID after you create an AccessKey pair.

Can I view the AccessKey secret after I create an AccessKey pair?

The answer to this question varies. You cannot view the AccessKey secret of a Resource Access Management (RAM) user after you create an AccessKey pair for the RAM user. The AccessKey secret is displayed only when you create the AccessKey pair and is unavailable for subsequent queries. However, you can view the AccessKey secret of an Alibaba Cloud account after you create an AccessKey pair for the Alibaba Cloud account.

How do I check whether an AccessKey pair is in use?

You can view the time when an AccessKey pair was last used in the console or by calling an operation. This helps you check whether the AccessKey pair is in use.

  • AccessKey Pair page

    If you access the AccessKey Pair page by using an Alibaba Cloud account, you can view the time when the AccessKey pair of the Alibaba Cloud account was last used. If you access the AccessKey Pair page by using a RAM user, you can view the time when the AccessKey pair of the RAM user was last used.

  • RAM console

    If you log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights, you can view the time when the AccessKey pairs of all RAM users were last used. For more information, see View the information about AccessKey pairs of a RAM user.

  • GetAccessKeyLastUsed

    You can call this operation to view the time when the AccessKey pair of an Alibaba Cloud account or RAM user was last used.

Can I change the AccessKey ID after I create an AccessKey pair?

No, you cannot change the AccessKey ID after you create an AccessKey pair. You can only disable, enable, or delete an AccessKey pair.

Can I restore an AccessKey pair after I delete it?

No, you cannot restore an AccessKey pair that is deleted.

Note Proceed with caution when you delete an AccessKey pair. If you delete an AccessKey pair that is in use, system failures may occur on your application.

What do I do if an AccessKey pair is leaked?

The AccessKey pair of an Alibaba Cloud account has the same full management permissions as the Alibaba Cloud account. You cannot impose limits such as limits on source IP addresses and time periods of requests on the AccessKey pair. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. Therefore, we recommend that you create AccessKey pairs for RAM users, instead of for your Alibaba Cloud account.

If your AccessKey pair is leaked, you can troubleshoot the issue by performing one of the following operations:

  • AccessKey pair of an Alibaba Cloud account

    Replace the AccessKey pair of an Alibaba Cloud account with the AccessKey pair of a RAM user to which the AdministratorAccess policy is attached.

    1. In the RAM console, create a RAM user and attach the AdministratorAccess policy to the RAM user.

      For more information, see Create a RAM user and Grant permissions to the RAM user.

    2. Create an AccessKey pair for the RAM user.

      For more information, see Create an AccessKey pair for a RAM user.

    3. In the test environment of the program or application, use the AccessKey pair of the RAM user to replace the AccessKey pair of the Alibaba Cloud account. Then, check whether the program or application runs as expected.
    4. In the production environment of the program or application, use the AccessKey pair of the RAM user to replace the AccessKey pair of the Alibaba Cloud account and check whether the program or application runs as expected.
    5. Disable the AccessKey pair of the Alibaba Cloud account.
    6. If no issues that are related to the AccessKey pair of the Alibaba Cloud account occur within 90 days after you disable the AccessKey pair, you can delete the AccessKey pair.
  • AccessKey pair of a RAM user

    Create another AccessKey pair to replace the previous AccessKey pair. For more information, see Rotate AccessKey pairs of RAM users.