AWS_ACCESS_KEY_ID

Sensitive

The access key ID for AWS IAM user or role authentication. Part of the long-term credential pair (along with the secret access key) used to sign programmatic requests to AWS services. For production workloads, prefer IAM roles or temporary credentials over long-term access keys.

Last updated: 2026-06-05

AWS_ACCESS_KEY_ID is the public half of a long-term IAM credential pair — it identifies which IAM user or access key is signing a request, while AWS_SECRET_ACCESS_KEY signs it. Keys for IAM users start with the prefix AKIA; temporary keys from STS start with ASIA. The AWS SDKs and CLI read it automatically from the environment as part of the default credential provider chain, so exporting it is usually all you need to authenticate. For anything running inside AWS (EC2, ECS, Lambda, EKS), you should not set it at all — use an IAM role and let the metadata service hand out short-lived credentials.

Provider: AWS
Category: authentication
Set by: AWS Console → IAM → Users → your user → Security credentials → Create access key
Example: AKIAIOSFODNN7EXAMPLE

Security: Treat the access key ID as low-risk on its own, but it is half of a credential pair — leaking it alongside the secret key gives full programmatic access to whatever the IAM principal can do. Hardcoded AKIA keys in public GitHub repos are scraped within minutes; AWS auto-quarantines some but never rely on that. Prefer IAM roles, scope keys to least privilege, and rotate regularly. GitHub push protection and git-secrets can block accidental commits.

Gotcha: If you set AWS_ACCESS_KEY_ID in the environment, it overrides the credentials in ~/.aws/credentials and any IAM role on the instance. A stale exported key is a common cause of 'why is the CLI using the wrong account?' — check `env | grep AWS` before debugging profiles.

How to set AWS_ACCESS_KEY_ID

bash (pair with the secret)

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws sts get-caller-identity

preferred: no static key (assume a role)

aws configure sso
# or, inside AWS, attach an IAM role — no keys in env at all

References

Managing access keys

Frequently Asked Questions

What is the difference between AKIA and ASIA access keys?

AKIA prefixes a long-term key tied to an IAM user — it stays valid until you delete it. ASIA prefixes a temporary key issued by AWS STS (assumed role, SSO, MFA session) and expires within hours. ASIA keys must be sent together with AWS_SESSION_TOKEN; AKIA keys must not.

Should I use access keys on an EC2 instance or in Lambda?

No. Attach an IAM role instead. The SDK credential chain automatically picks up short-lived credentials from the instance/container metadata service, so there are no long-term secrets to leak or rotate. Setting AWS_ACCESS_KEY_ID there actually overrides the safer role.

Was this helpful?

Stay up to date

Get notified about new guides, tools, and cheatsheets.

Related Variables

AWS_SECRET_ACCESS_KEY

The secret access key paired with AWS_ACCESS_KEY_ID for signing AWS API requests. This value is only shown once when created and must be stored securely. Never commit this to source control or expose it in logs.

Browse all 242 environment variables →