This topic provides answers to some frequently asked questions about AccessKey pairs, including what is an AccessKey pair, how to view an AccessKey pair, how to check whether an AccessKey pair is in use, and how to deal with leaks of an AccessKey pair.
What is an AccessKey pair?
An AccessKey pair is a permanent access credential that is provided by Alibaba Cloud to a user. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
The AccessKey ID is used to identify a user.
The AccessKey secret is used to verify the identity of the user.
The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.
You cannot use the AccessKey pair for console logons. When you use a development tool such as an API, CLI, SDK, or Terraform to access Alibaba Cloud, the initiated requests include the AccessKey ID and the signature that is generated to encrypt the requests by using the AccessKey secret. In this case, the AccessKey pair is used for identity verification and request validity verification.
By default, an Alibaba Cloud account is an administrator and has the permissions to manage all Alibaba Cloud resources of the Alibaba Cloud account. You cannot change the permissions of the Alibaba Cloud account. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To ensure account security, we recommend that you do not create an AccessKey pair for an Alibaba Cloud account. We recommend that you create a RAM user for whom only the API access mode is enabled, and create an AccessKey pair for the RAM user. After you grant only the required permissions to the RAM user based on the principle of least privilege, the RAM user can call API operations to access Alibaba Cloud resources.
We recommend that you do not include AccessKey pairs in your project code. If you include AccessKey pairs in your project code, the AccessKey pairs may be leaked. For more information about how to use an AccessKey pair in a secure manner, see Credential security solutions.
What information can I view after I create an AccessKey pair?
After you create an AccessKey pair, you can view basic information such as the AccessKey ID, the status of the AccessKey pair, the time when the AccessKey pair was last used, and the time when the AccessKey pair was created. For more information, see View the information about AccessKey pairs of a RAM user.
Can I view the AccessKey ID after I create an AccessKey pair?
Yes, you can view the AccessKey ID after you create an AccessKey pair.
Can I view the AccessKey secret after I create an AccessKey pair?
No, you cannot view the AccessKey secret after you create an AccessKey pair. The AccessKey secret for an Alibaba Cloud account or a Resource Access Management (RAM) user is displayed only when you create the AccessKey pair. You cannot query the AccessKey secret in subsequent operations. This helps reduce the risks of AccessKey pair leaks. Record the AccessKey secret and keep it confidential.
How do I check whether an AccessKey pair is in use?
You can view the time when an AccessKey pair was last used in the Alibaba Cloud Management Console or by calling an operation. This helps you check whether the AccessKey pair is in use.
If you access the AccessKey Pair page by using an Alibaba Cloud account, you can view the time when the AccessKey pair of the Alibaba Cloud account was last used. If you access the AccessKey Pair page by using a RAM user, you can view the time when the AccessKey pair of the RAM user was last used.
If you log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights, you can view the time when the AccessKey pairs of all RAM users were last used. For more information, see View the information about AccessKey pairs of a RAM user.
You can call this operation to view the time when the AccessKey pair of an Alibaba Cloud account or RAM user was last used.
Can I change the AccessKey ID after I create an AccessKey pair?
No, you cannot change the AccessKey ID after you create an AccessKey pair. You can only disable, enable, or delete an AccessKey pair.
Can I restore an AccessKey pair after I delete it?
No, you cannot restore an AccessKey pair that is deleted.
Proceed with caution when you delete an AccessKey pair. If you delete an AccessKey pair that is in use, system failures may occur on your application.
What do I do if an AccessKey pair is leaked?
For more information, see Solutions to AccessKey pair leaks.