» aws_iam_access_key

Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.

» Example Usage

resource "aws_iam_access_key" "lb" {
  user    = "${aws_iam_user.lb.name}"
  pgp_key = "keybase:some_person_that_exists"

resource "aws_iam_user" "lb" {
  name = "loadbalancer"
  path = "/system/"

resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = "${aws_iam_user.lb.name}"

  policy = <<EOF
  "Version": "2012-10-17",
  "Statement": [
      "Action": [
      "Effect": "Allow",
      "Resource": "*"

output "secret" {
  value = "${aws_iam_access_key.lb.encrypted_secret}"

» Argument Reference

The following arguments are supported:

  • user - (Required) The IAM user to associate with this access key.
  • pgp_key - (Optional) Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists.

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The access key ID.
  • user - The IAM user associated with this access key.
  • key_fingerprint - The fingerprint of the PGP key used to encrypt the secret
  • secret - The secret access key. Note that this will be written to the state file. Please supply a pgp_key instead, which will prevent the secret from being stored in plain text
  • encrypted_secret - The encrypted secret, base64 encoded. ~> NOTE: The encrypted secret may be decrypted using the command line, for example: terraform output encrypted_secret | base64 --decode | keybase pgp decrypt.
  • ses_smtp_password - The secret access key converted into an SES SMTP password by applying AWS's documented conversion algorithm.
  • status - "Active" or "Inactive". Keys are initially active, but can be made inactive by other means.