This article details how developers with appropriate permissions can rotate their AWS keys. This should be done at least once every 90 days.
1️⃣ Verify your tools
Run:
-
ebworks → Elastic Beanstalk CLI installed -
awsworks → AWS CLI installed (recommended but not required)
⚠️ EB CLI does not automatically install AWS CLI.
2️⃣ Create a new access key (no downtime)
Preferred method: AWS Console
AWS Console → IAM → Users → (your user) → Security credentials → Access keys → Create access key
Copy:
-
Access Key ID
-
Secret Access Key (shown once)
3️⃣ Update local AWS credentials
If you use the default profile:
If you use a named profile:
Enter:
-
New Access Key ID
-
New Secret Access Key
-
Region (keep existing, e.g.
us-east-1) -
Output format (optional)
If
awsis not installed, manually update:~/.aws/credentials
4️⃣ Verify credentials
Run:
(Or add --profile YOURPROFILE)
✅ You should see your AWS account + IAM user ARN.
5️⃣ Verify Elastic Beanstalk still works
From your project directory:
If you use a named profile:
6️⃣ Update any automation using old keys
Check and update all places where keys may exist:
-
CI/CD secrets (GitHub Actions, GitLab, etc.)
-
Local
.envfiles -
Deployment scripts
-
Shared servers / jump boxes
7️⃣ Delete the old access key
After everything works:
AWS Console → IAM User → Security credentials → Delete old access key
8️⃣ Final confirmation (reply once done)
Please confirm:
-
✅ New access key created
-
✅ Local credentials updated
-
✅
aws sts get-caller-identityworks -
✅
eb statusworks -
✅ Old access key deleted
🔧 Troubleshooting
Most issues are caused by:
-
Wrong profile
-
Old keys still referenced in CI
-
AWS_PROFILEset unexpectedly
Step by Step Scribe with Screenshots on How to Access AWS Console and Create/Rotate Keys:
https://scribehow.com/viewer/Create_AWS_Access_Key_and_Update_Password__tktFjX7vTeC7XfOb4EPk7g
AWS access keys must NOT be stored in source code, repositories, configuration files, or deployed applications. Access keys constitute sensitive authentication credentials. If exposed, they may be used to gain unauthorized programmatic access to AWS resources, including the ability to provision infrastructure, modify services, or impact production systems and generate significant cost increases, even when within the scope of the assigned permissions.
Access keys must be securely stored using approved credential management mechanisms and handled in accordance with the organization’s access control and secret management policies.