AccessKey

Provides an IAM access key. This is a set of credentials that allow API requests to be made as an IAM user.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var lbUser = new Aws.Iam.User("lbUser", new Aws.Iam.UserArgs
        {
            Path = "/system/",
        });
        var lbAccessKey = new Aws.Iam.AccessKey("lbAccessKey", new Aws.Iam.AccessKeyArgs
        {
            PgpKey = "keybase:some_person_that_exists",
            User = lbUser.Name,
        });
        var lbRo = new Aws.Iam.UserPolicy("lbRo", new Aws.Iam.UserPolicyArgs
        {
            Policy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": [
        ""ec2:Describe*""
      ],
      ""Effect"": ""Allow"",
      ""Resource"": ""*""
    }
  ]
}

",
            User = lbUser.Name,
        });
        this.Secret = lbAccessKey.EncryptedSecret;
    }

    [Output("secret")]
    public Output<string> Secret { get; set; }
}

package main

import (
    "fmt"

    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/iam"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        lbUser, err := iam.NewUser(ctx, "lbUser", &iam.UserArgs{
            Path: pulumi.String("/system/"),
        })
        if err != nil {
            return err
        }
        lbAccessKey, err := iam.NewAccessKey(ctx, "lbAccessKey", &iam.AccessKeyArgs{
            PgpKey: pulumi.String("keybase:some_person_that_exists"),
            User:   lbUser.Name,
        })
        if err != nil {
            return err
        }
        _, err = iam.NewUserPolicy(ctx, "lbRo", &iam.UserPolicyArgs{
            Policy: pulumi.String(fmt.Sprintf("%v%v%v%v%v%v%v%v%v%v%v%v%v", "{\n", "  \"Version\": \"2012-10-17\",\n", "  \"Statement\": [\n", "    {\n", "      \"Action\": [\n", "        \"ec2:Describe*\"\n", "      ],\n", "      \"Effect\": \"Allow\",\n", "      \"Resource\": \"*\"\n", "    }\n", "  ]\n", "}\n", "\n")),
            User:   lbUser.Name,
        })
        if err != nil {
            return err
        }
        ctx.Export("secret", lbAccessKey.EncryptedSecret)
        return nil
    })
}

import pulumi
import pulumi_aws as aws

lb_user = aws.iam.User("lbUser", path="/system/")
lb_access_key = aws.iam.AccessKey("lbAccessKey",
    pgp_key="keybase:some_person_that_exists",
    user=lb_user.name)
lb_ro = aws.iam.UserPolicy("lbRo",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

""",
    user=lb_user.name)
pulumi.export("secret", lb_access_key.encrypted_secret)

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const lbUser = new aws.iam.User("lb", {
    path: "/system/",
});
const lbAccessKey = new aws.iam.AccessKey("lb", {
    pgpKey: "keybase:some_person_that_exists",
    user: lbUser.name,
});
const lbRo = new aws.iam.UserPolicy("lb_ro", {
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
`,
    user: lbUser.name,
});

export const secret = lbAccessKey.encryptedSecret;

Create a AccessKey Resource

new AccessKey(name: string, args: AccessKeyArgs, opts?: CustomResourceOptions);

def AccessKey(resource_name, opts=None, pgp_key=None, status=None, user=None, __props__=None);

func NewAccessKey(ctx *Context, name string, args AccessKeyArgs, opts ...ResourceOption) (*AccessKey, error)

public AccessKey(string name, AccessKeyArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AccessKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

AccessKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The AccessKey resource accepts the following input properties:

User string: The IAM user to associate with this access key.
PgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.
Status string: The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

User string: The IAM user to associate with this access key.
PgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.
Status string: The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user string: The IAM user to associate with this access key.
pgpKey string: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.
status string: The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user str: The IAM user to associate with this access key.
pgp_key str: Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.
status str: The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessKey resource produces the following output properties:

EncryptedSecret string

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

Id string

The provider-assigned unique ID for this managed resource.

KeyFingerprint string

The fingerprint of the PGP key used to encrypt the secret

Secret string

The secret access key. Note that this will be written to the state file. If you use this, please protect your backend state file judiciously. Alternatively, you may supply a pgp_key instead, which will prevent the secret from being stored in plaintext, at the cost of preventing the use of the secret key in automation.

SesSmtpPassword string

DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

Deprecated:

AWS SigV2 for SES SMTP passwords isy deprecated. Use 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.

SesSmtpPasswordV4 string

The secret access key converted into an SES SMTP password by applying AWS’s documented Sigv4 conversion algorithm. As SigV4 is region specific, valid Provider regions are ap-south-1, ap-southeast-2, eu-central-1, eu-west-1, us-east-1 and us-west-2. See current AWS SES regions

EncryptedSecret string

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

Id string

The provider-assigned unique ID for this managed resource.

KeyFingerprint string

The fingerprint of the PGP key used to encrypt the secret

Secret string

SesSmtpPassword string

DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

Deprecated:

AWS SigV2 for SES SMTP passwords isy deprecated. Use 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.

SesSmtpPasswordV4 string

encryptedSecret string

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

id string

The provider-assigned unique ID for this managed resource.

keyFingerprint string

The fingerprint of the PGP key used to encrypt the secret

secret string

sesSmtpPassword string

DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

Deprecated:

AWS SigV2 for SES SMTP passwords isy deprecated. Use 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.

sesSmtpPasswordV4 string

encrypted_secret str

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

id str

The provider-assigned unique ID for this managed resource.

key_fingerprint str

The fingerprint of the PGP key used to encrypt the secret

secret str

ses_smtp_password str

DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

Deprecated:

AWS SigV2 for SES SMTP passwords isy deprecated. Use 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.

ses_smtp_password_v4 str

Look up an Existing AccessKey Resource

Get an existing AccessKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessKeyState, opts?: CustomResourceOptions): AccessKey

static get(resource_name, id, opts=None, encrypted_secret=None, key_fingerprint=None, pgp_key=None, secret=None, ses_smtp_password=None, ses_smtp_password_v4=None, status=None, user=None, __props__=None);

func GetAccessKey(ctx *Context, name string, id IDInput, state *AccessKeyState, opts ...ResourceOption) (*AccessKey, error)

public static AccessKey Get(string name, Input<string> id, AccessKeyState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

EncryptedSecret string

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

KeyFingerprint string

The fingerprint of the PGP key used to encrypt the secret

PgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

Secret string

SesSmtpPassword string

DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

Deprecated:

AWS SigV2 for SES SMTP passwords isy deprecated. Use 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.

SesSmtpPasswordV4 string

Status string

The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

User string

The IAM user to associate with this access key.

EncryptedSecret string

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

KeyFingerprint string

The fingerprint of the PGP key used to encrypt the secret

PgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

Secret string

SesSmtpPassword string

DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

Deprecated:

AWS SigV2 for SES SMTP passwords isy deprecated. Use 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.

SesSmtpPasswordV4 string

Status string

The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

User string

The IAM user to associate with this access key.

encryptedSecret string

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

keyFingerprint string

The fingerprint of the PGP key used to encrypt the secret

pgpKey string

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

secret string

sesSmtpPassword string

DEPRECATED The secret access key converted into an SES SMTP password by applying [AWS’s documented conversion

Deprecated:

AWS SigV2 for SES SMTP passwords isy deprecated. Use 'ses_smtp_password_v4' for region-specific AWS SigV4 signed SES SMTP password instead.

sesSmtpPasswordV4 string

status string

The access key status to apply. Defaults to Active. Valid values are Active and Inactive.

user string

The IAM user to associate with this access key.

encrypted_secret str

The encrypted secret, base64 encoded, if pgp_key was specified. > NOTE: The encrypted secret may be decrypted using the command line,

key_fingerprint str

The fingerprint of the PGP key used to encrypt the secret

pgp_key str

Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute.

secret str

ses_smtp_password str