AWS Access Keys - AKIA vs ASIA
In this article, we'll learn about the two types of AWS Access keys which can be used to programmatically access the AWS resources.
AWS require different types of security credentials depending upon how we are going to access the AWS resources i.e.
AWS Management Console - requires user name and password
Programmatic access (CLI/SDK/API) - requires access keys
What are Access Keys?
Access keys are a type of AWS credential which are used to sign programmatic requests. These requests can be generated using any of the following methods:
- AWS CLI
- AWS API
- AWS SDK
Access Keys General Structure:
The Access keys generally consist of two parts:
- Access Key ID
- Secret Access Key
However, there can be a third part called "Session Token". We will discuss more about this in our post.
Access Keys Classification:
Access keys can be classified into two types depending upon the time for which they are valid i.e.
1) Long Term Access Keys
2) Temporary Access Keys
Long Term Access Keys 👇
As the name suggests, the long term access keys are programmatic credentials which are valid forever, until they are explicitly deleted from our AWS account. This type of key is a long term customer-managed credential which is associated with an IAM user or AWS account root user.
A sample long term access key is as follows:
- Access Key ID (for example, AKIAIOSFODNN7EXAMPLE)
- Secret Access Key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
We can assign up to two access keys per user (root user or IAM user). This allows the user to easily rotate the keys and meet their security standards.
Refer the AWS documentation "Managing access keys for IAM users" to create long term access keys for your user using Console/CLI/API.
However, using long term credentials is not always the ideal approach, in cases where you want to give someone limited period access to your AWS resources. This brings us to the other type of access key i.e. temporary access key.
Temporary Access Keys 👇
As you might have already guessed by the name, these keys are valid for a short period of time. So, once these keys are expired, they can no longer be used to access any AWS resources. These keys are generated using the AWS Security Token Service (STS).
A sample temporary access key is as follows
- Access Key ID (for example, ASIAJEXAMPLEXEG2JICEA)
- Secret Access Key (for example, 9drTJvcXLB89EXAMPLELB8923FB892xMFI).
- Session Token (for example, AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=)
The "Session Token" plays the most important role in the temporary access keys. So, when we make a call using a temporary access key, the call must include the session token. AWS uses the session token to validate the temporary security credentials and confirm if these credentials are expired or not.
These keys are generally used in following scenarios:
- Temporary AWS access in less secure environments
- Providing external identity temporary access to AWS resources
- Cross account access to AWS resources.
For more details around the common scenarios for using temporary credentials, please refer the AWS documentation here.
Also, refer the "Requesting temporary security credentials" AWS documentation to get details around all the possible ways to generate temporary credentials in AWS.
⚡️Interesting Observation⚡️
Now let's assume the following scenario:
I am using temporary access keys to interact with my AWS resources via CLI. However, instead of configuring all the three parts of the access key, I excluded the "SessionToken" from the CLI configuration. So...
Q. How will now AWS know if I am using temporary credentials?
Q. Will this make my credentials long term instead of temporary?
Give it a thought. The answer to this is in the blog's title 🤔
Lets discuss that now 👇
Access Key ID - AKIA vs ASIA
If you have not already noticed, the first four characters of the Access Key ID helps us to determine the type of access key:
- Long Term Access Key → Access KeyID begin with "AKIA".
- Temporary Access Key → Access Key ID begin with "ASIA".
So, this allows AWS to determines the type of access key when the requests comes in to access any AWS resource.
In case you are using temporary access key i.e. a key starting with "ASIA", AWS would except the session token to be the third parameter in the credentials. In case the session token is missing, you would get an error for not using valid credentials.
👋 Enjoyed the article? Reach out to me anytime in the comments below or on Twitter for any further discussion or feedback.