Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.
resource "aws_iam_access_key" "lb" {
user = aws_iam_user.lb.name
pgp_key = "keybase:some_person_that_exists"
}
resource "aws_iam_user" "lb" {
name = "loadbalancer"
path = "/system/"
}
data "aws_iam_policy_document" "lb_ro" {
statement {
effect = "Allow"
actions = ["ec2:Describe*"]
resources = ["*"]
}
}
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
policy = data.aws_iam_policy_document.lb_ro.json
}
output "secret" {
value = aws_iam_access_key.lb.encrypted_secret
}
resource "aws_iam_user" "test" {
name = "test"
path = "/test/"
}
resource "aws_iam_access_key" "test" {
user = aws_iam_user.test.name
}
output "aws_iam_smtp_password_v4" {
value = aws_iam_access_key.test.ses_smtp_password_v4
}
This resource supports the following arguments:
pgp_key
- (Optional) Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists
, for use in the encrypted_secret
output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a
option to gpg --export
).status
- (Optional) Access key status to apply. Defaults to Active
. Valid values are Active
and Inactive
.user
- (Required) IAM user to associate with this access key.This resource exports the following attributes in addition to the arguments above:
create_date
- Date and time in RFC3339 format that the access key was created.encrypted_secret
- Encrypted secret, base64 encoded, if pgp_key
was specified. This attribute is not available for imported resources. The encrypted secret may be decrypted using the command line, for example: terraform output -raw encrypted_secret | base64 --decode | keybase pgp decrypt
.encrypted_ses_smtp_password_v4
- Encrypted SES SMTP password, base64 encoded, if pgp_key
was specified. This attribute is not available for imported resources. The encrypted password may be decrypted using the command line, for example: terraform output -raw encrypted_ses_smtp_password_v4 | base64 --decode | keybase pgp decrypt
.id
- Access key ID.key_fingerprint
- Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.secret
- Secret access key. This attribute is not available for imported resources. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key
instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.ses_smtp_password_v4
- Secret access key converted into an SES SMTP password by applying AWS's documented Sigv4 conversion algorithm. This attribute is not available for imported resources. As SigV4 is region specific, valid Provider regions are ap-south-1
, ap-southeast-2
, eu-central-1
, eu-west-1
, us-east-1
and us-west-2
. See current AWS SES regions.In Terraform v1.5.0 and later, use an import
block to import IAM Access Keys using the identifier. For example:
import {
to = aws_iam_access_key.example
id = "AKIA1234567890"
}
Using terraform import
, import IAM Access Keys using the identifier. For example:
% terraform import aws_iam_access_key.example AKIA1234567890
Resource attributes such as encrypted_secret
, key_fingerprint
, pgp_key
, secret
, ses_smtp_password_v4
, and encrypted_ses_smtp_password_v4
are not available for imported resources as this information cannot be read from the IAM API.