Frequently asked questions about creating, managing, and securing AccessKey pairs.
What is an AccessKey?
An AccessKey pair is a long-term security credential that Alibaba Cloud issues for programmatic access. It consists of an AccessKey ID and an AccessKey secret.
-
AccessKey ID: The public, unique identifier for an AccessKey pair.
-
AccessKey secret: The private key used to sign programmatic requests. This signature verifies the authenticity and integrity of the request. You must keep your AccessKey secret strictly confidential.
To reduce the risk of compromise, the AccessKey secret is displayed only when you create it. You cannot retrieve it later. Be sure to store it securely.
How to use an AccessKey
AccessKey pairs authenticate programmatic calls to Alibaba Cloud APIs through the CLI, SDKs, or Terraform. They cannot be used to sign in to the console.
Avoid using AccessKey pairs directly in applications. Alibaba Cloud provides AccessKey-free solutions that use temporary security credentials (STS tokens) instead. Application development scenarios.
If you must use an AccessKey pair, follow the guidance in Properly store and use unavoidable AccessKey pairs.
How an AccessKey works
RAM generates the AccessKey ID and AccessKey secret using a cryptographic algorithm. Alibaba Cloud encrypts them during storage and transmission.
When an application sends a request, it includes the AccessKey ID and a signature derived from the AccessKey secret. Alibaba Cloud uses these to verify the sender's identity and request integrity. V3 request body & signature mechanism.
What types of AccessKey pairs are available?
-
Alibaba Cloud account AccessKey pair (Not recommended)
The Alibaba Cloud account owner creates this type. By default, it has full permissions for all operations and resources within the account. If compromised, the security risk is extremely high. Do not create or use an AccessKey pair for your Alibaba Cloud account.
-
RAM user AccessKey pair (Recommended)
This type belongs to a RAM user and inherits that user's permissions, enabling least-privilege access. Create a RAM user before creating an AccessKey pair for it. Assign a unique RAM user and AccessKey pair to each application to prevent excessive permissions and reduce compromise risk from shared credentials.
What information can I view about an AccessKey pair?
You can view an AccessKey pair's metadata, including its AccessKey ID, status, creation time, and last-used information.
Can I view an AccessKey ID after it is created?
Yes.
Can I view an AccessKey secret after it is created?
No. For security reasons, the AccessKey secret is only available to view or download at creation time. If you lose it, create a new AccessKey pair.
How do I check if an AccessKey pair is in use?
Check the last-used time for an AccessKey pair in the console or through the API.
-
When logged in with an Alibaba Cloud account or as a RAM user, view the last-used time for your own AccessKey pairs.
-
As a RAM administrator, view the last-used time for any RAM user's AccessKey pairs in your account. View the information about AccessKey pairs of a RAM user.
-
GetAccessKeyLastUsed API operation
Call this operation to programmatically retrieve the last-used time for an AccessKey pair.
Can I change an AccessKey ID?
No. AccessKey IDs are immutable.
Can I restore a deleted AccessKey pair?
Yes, for RAM users. When you delete a RAM user's AccessKey pair, it is moved to a recycle bin.
Deleted AccessKey pairs are retained in the recycle bin for 30 days and can be restored during this period. Once an AccessKey pair is purged, it cannot be recovered.
For more information, see Delete a RAM user's AccessKey.
Deleting an in-use AccessKey pair causes the associated application to lose access to Alibaba Cloud resources.
What do I do if an AccessKey pair is leaked?
For more information, see Remediate a compromised AccessKey pair.
How do I find which account owns an AccessKey pair?
For security reasons, Alibaba Cloud does not provide a public service to identify the owner of an AccessKey ID.
To identify the owner of an AccessKey ID within your organization, use one of the following methods:
-
In the RAM console, go to the Users page and search for the AccessKey ID. If you manage multiple accounts, repeat the search in each account.
-
If your organization uses Resource Directory, enable a multi-account trail in ActionTrail, then query the aggregated audit logs for the AccessKey ID to identify the owner.
Why am I getting a "There is a risk of leakage of this AccessKey" error?
Alibaba Cloud detected a potential leak and placed the AccessKey pair under restrictive protection. Resolve this by following the steps in Restrictive protection of AccessKey pairs.
API call unexpectedly denied?
Symptoms
After a network ACL policy for an AccessKey pair takes effect, calls from source IP addresses that are not in the allowed list will be denied. Common error messages include:
Message: The specified parameter "AccessKeyId.AccessPolicyDenied" is not valid.Message: code: 400, Specified access key denied due to access policy. Solution
If a network ACL policy unexpectedly denies an API call, follow these steps to resolve the issue:
Check whether an AccessKey-level network ACL policy is configured for the restricted AccessKey pair.
Yes: Modify the AccessKey-level network ACL policy to add the source IP address to the policy.
No: Proceed to the next step.
As a RAM administrator, check and modify the account-level network ACL policy to add the source IP address to the policy.
If the issue persists, the source IP address in the policy may be incorrect. Verify and obtain the correct IP address.
Use ActionTrail to query the historical source IP addresses of calls made with the AccessKey pair. For more information, see Review historical IP addresses in ActionTrail.