The AWS Producer generates AWS access credentials dynamically based on IAM policies. In order to create dynamic keys for AWS access, you need to first configure Akeyless to authenticate and communicate with AWS. This requires privileged account credentials.
Prerequisites
To create a producer, first:
- Create an AWS IAM user with privileged administrator access.
- Retrieve the access key ID and secret access key for that user in order to authenticate Akeyless with AWS.
The minimum required policy for such a user should included the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:DeleteAccessKey",
"iam:AttachUserPolicy",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:DetachUserPolicy",
"iam:GetLoginProfile",
"iam:DeleteLoginProfile",
"iam:ListUserTags",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::516800367921:user/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListUsers",
"iam:ListGroups"
],
"Resource": "*"
}
]
}
An AWS IAM tip
You can simply create a new user and attach only the policy above for the purposes of authenticating with AWS and it should work.
AWS Producer
- Navigate to localhost:8000 and log in using your Gateway credentials. See Install and configure the Gateway for more information.
- Navigate to Dynamic Secrets from the left navigation panel:


- Select New=>AWS Producer. The Create a new AWS Producer window pops up:


- AWS distinguishes between access and authorization using different users, resource policies and user groups. In order to perform an operation on a resource, the user must have been granted the appropriate permissions for that resource by way of either a policy or a user group. The AWS IAM docs outline the relevant policies and the permissions they grant.
Accordingly, complete the values in the producer dialog box in order to enable the relevant permissions and access to AWS resources when using the relevant dynamic key, as described in the following table:
Field | Description |
---|---|
| Enter a unique name that describes the purpose or permissions scope of this producer. |
| Indicate where to store this producer in Akeyless. |
| The access key ID assigned to the admin user you created in order to authenticate Akeyless with AWS. |
| The secret access key assigned to the admin user you created in order to authenticate Akeyless with AWS. |
| The AWS region which the temporary credentials are permitted to access. |
| If you wish to grant temporary security credentials retrieved via the AWS security token service (STS), enter this token. Otherwise, it can be left empty. |
| All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Insert the individual Policy ARN(s) available for this producer. Multiple values should be separated by a comma. |
| All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Enter UserGroup name(s) that have authorization you'd like to give users of this dynamic key. Multiple values should be separated by a comma. |
| All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Check to enable an access key ID and secret access key for the AWS API, CLI, SDK. |
| All of the "user" fields in this dialog box are the fields in which you configure access and authorization in which you configure access to AWS for the users who can use the relevant dynamic key. Check to enable access to the AWS management console (enables a password that allows users to sign-in to the AWS Management Console). |
Encrypt dynamic secret with the following Key | To enable zero-trust, select a key with a Customer Fragment. For more information about zero-trust, see Zero Trust Encryption . |


Updated about a month ago