AWS Access Keys - AKIA vs ASIA

February 14, 2025 #aws #credentials

Learn about the two types of AWS Access keys which can be used to programmatically access the AWS resources

cover

AWS require different types of security credentials depending upon how we are going to access the AWS resources i.e.

AWS Management Console - requires user name and password

Programmatic access - requires access keys

What are Access Keys?

Access keys are a type of AWS credential which are used to sign programmatic requests. These requests can be generated using any of the following methods:

  • AWS CLI
  • AWS API
  • AWS SDK

Access Keys General Structure:

The Access keys generally consist of two parts:

  • Access Key ID
  • Secret Access Key

However, there can be a third part called Session Token. We will discuss more about it later in the post.

Access Keys Types:

Access keys can be classified into two types depending on the time for which they are valid i.e.

  1. Long Term Access Keys

  2. Temporary Access Keys

Long Term Access Keys 👇

As the name suggests, the long term access keys are programmatic credentials which are valid forever, until they are explicitly deleted from the AWS account. They are always associated with an IAM user or AWS account’s root user .

Sample long term access keys are as follows: 

{
	"Access Key ID": "AKIAIOSFODNN7EXAMPLE",
	"Secret Access Key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

We can have up to two access keys per user (root user or IAM user). This allows the user to easily rotate the keys and meet their security standards.

Refer the AWS documentation Managing access keys for IAM users to create long term access keys for your user using Console/CLI/API.

However, using long term credentials is not always the ideal approach, in cases where you want to give someone limited period access to your AWS resources. This brings us to the other type of access key i.e. temporary access keys.

Temporary Access Keys 👇

As you might have already guessed by the name, these keys are valid for a short period of time. Once these keys are expired, they can no longer be used to access any AWS resources. These keys are generated using the AWS Security Token Service (STS) .

Sample temporary access keys are as follows: 

{
	"Access Key ID": "ASIAJEXAMPLEXEG2JICEA",
	"Secret Access Key": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
	"Session Token": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU="
}

The Session Token plays the most important role in the temporary access keys . When we make a call using temporary access keys, the call must include the session token. AWS uses the session token to validate the temporary security credentials and confirm if these credentials are expired or not.

These keys are generally used in following scenarios:

  • Temporary AWS access in untrusted environments
  • Providing external identity temporary access to AWS resources
  • Cross account access to AWS resources.

Further details around the most common scenarios for using temporary credentials can be found in this AWS documentation here .

Also, you can refer the Requesting temporary security credentials AWS documentation to explore all the possible ways to generate temporary credentials in AWS.

⚡️Interesting Observation⚡️

Now let’s assume the following scenario:

I am using temporary access keys to interact with my AWS resources via CLI. However, instead of configuring all the three parts of the access key, I excluded the “SessionToken” from the CLI configuration. So…

Q. How will now AWS know if I am using temporary credentials?

Q. Will this make my credentials long term instead of temporary?

Give it a thought. The answer to this is in the blog’s title 🤔

Lets discuss that now 👇

Access Key ID - AKIA vs ASIA

If you have not already noticed, the first four characters of the Access Key ID helps us to determine the type of access key:

Long Term Access Key → Access Key ID begin with AKIA.

Temporary Access Key → Access Key ID begin with ASIA.

This is one of the most basic check that AWS performs to determines the type of access key when the requests comes in to access any AWS resource.

For the curious thinkers out there, dropping the Session token and making it AKIA will also not work. There are also some other invisble forces at play here 😉

In conclusion, if you are using temporary access keys i.e. a key starting with “ASIA”, AWS would except the session token to be the third parameter in the credentials. In case the session token is missing, you would get an error for not using valid credentials.

Post this article Discuss on X
Automate AWS Credentials Management with aws-creds

Don't waste time looking through AWS documentations!