Why use AWS Access Keys instead of IAM Roles

Question

1. Why are AWS access keys (access key ID and secret access key) complex i.e. lengthy and unreadable unlike console access credentials? A key if its simple or complex once stolen doesn't help and so why not keep it simple ?

2. Apart from logging into AWS CLI, what are the scenarios where only access keys (access key ID and secret access key) can help and where the recommended best practice of using roles is not practical?

Answer 1

I would not like to guess the inner thoughts of the people who design AWS authentication, but a complex secret improves the security by making it more difficult to guess. It would also increase the complexity of data encoded with the key, making it harder to reverse-engineer. Plus, nobody ever types it, so there is no need to have a short secret.

The Access Key and Secret Key is used for every API request to AWS. This can come from the AWS Command-Line Interface (CLI), or any software created with an AWS SDK. In fact, the AWS CLI is just a Python program that uses the AWS SDK for Python (called boto3).

IAM Roles can be assigned to Amazon EC2 instances. This will then provide a temporary Access Key and Secret Key to an instance (see Retrieving Security Credentials from Instance Metadata). So, roles are just a secure way of providing an Access Key, but the Access Key is still used.

An IAM Role can also be assumed to obtain temporary access to resources, but calling the AssumeRole() command also requires an Access Key to authenticate and prove the right to assume the role.

The only time that an Access Key and Secret Key are not required is for login to the AWS Management Console, but the console is still using an Access Key to call the AWS API.

Bottom line: An Access Key and Secret Key is required to access AWS resources.