AWS_SECRET_ACCESS_KEY

Sensitive

The secret access key paired with AWS_ACCESS_KEY_ID for signing AWS API requests. This value is only shown once when created and must be stored securely. Never commit this to source control or expose it in logs.

Last updated: 2026-06-05

AWS_SECRET_ACCESS_KEY is the private half of an IAM credential pair: a 40-character Base64 string used to cryptographically sign every AWS API request (SigV4). AWS shows it exactly once, at creation time — there is no way to retrieve it again, only to generate a new key. It is the single most sensitive value in a typical AWS setup; anyone with it (plus the access key ID) can act as that IAM principal. The SDKs read it from the environment automatically, but storing it in plaintext env files is a liability — a secrets manager or, better, role-based temporary credentials avoids holding it at all.

Provider: AWS
Category: authentication
Set by: AWS Console → IAM → Users → your user → Security credentials → Create access key
Example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Security: This is a high-value secret. Never commit it, never log it, never bake it into a Docker image layer (it persists in image history even if a later layer unsets it). Leaked secret keys are the leading cause of AWS account compromise and surprise crypto-mining bills. Use IAM roles or AWS SSO for short-lived credentials; if you must use a static key, store it in AWS Secrets Manager / SSM Parameter Store and scope the IAM policy to least privilege. Rotate immediately if exposure is suspected — generate a new key, deploy it, then delete the old one.

Gotcha: Because the secret is only displayed once, losing it means creating a new key, not recovering the old one. Also: the value contains '/' and '+' characters, so quote it in shell scripts and be careful in URLs or YAML where those need escaping.

How to set AWS_SECRET_ACCESS_KEY

bash (with the access key ID)

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
aws s3 ls

fetch from Secrets Manager instead of hardcoding

export AWS_SECRET_ACCESS_KEY=$(aws secretsmanager get-secret-value \
  --secret-id my/app/aws-key --query SecretString --output text)

References

Managing access keys

Frequently Asked Questions

I lost my AWS secret access key. How do I recover it?

You cannot. AWS only displays the secret once, at creation. Create a new access key in IAM, update wherever the credentials are used, verify it works, then delete the old key. This rotation is also the right response to any suspected leak.

Where should I store AWS_SECRET_ACCESS_KEY?

Ideally nowhere long-term — use IAM roles or AWS SSO so credentials are short-lived and injected automatically. If you need a static key, keep it in AWS Secrets Manager or SSM Parameter Store and inject it at runtime, never in source control, CI logs, or a committed .env file.

Was this helpful?

Stay up to date

Get notified about new guides, tools, and cheatsheets.

Related Variables

AWS_ACCESS_KEY_ID

The access key ID for AWS IAM user or role authentication. Part of the long-term credential pair (along with the secret access key) used to sign programmatic requests to AWS services. For production workloads, prefer IAM roles or temporary credentials over long-term access keys.

Browse all 242 environment variables →