# IAM User Password

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FHNHUe16FtIGdUgdUNlBe%2FIAM%20User.jpg?alt=media&#x26;token=e97f24e1-a1f4-42bb-898d-2abc25c90e62" alt=""><figcaption></figcaption></figure>

## Overview

In this guide, you will learn how to rotate passwords for AWS IAM users. In Keeper, the **PAM Configuration** contains all of the information needed to rotate passwords. The record containing the AWS IAM user accounts to be rotated are stored in the **PAM User** record.

## Prerequisites

This guide assumes the following tasks have already taken place:

* Keeper Secrets Manager is enabled for your [role](https://docs.keeper.io/en/keeperpam/getting-started/enforcement-policies#secrets-manager)
* Keeper Rotation is enabled for your [role](https://docs.keeper.io/en/keeperpam/getting-started/enforcement-policies#keeper-rotation)
* A Keeper Secrets Manager [application](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/applications) has been created
* A Keeper Rotation [gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) is already installed and running
* Your AWS environment is [configured](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration/aws-environment-setup) per our documentation

The Keeper Gateway uses AWS APIs to rotate the credentials defined in the **PAM User** records.

## 1. Create Shared Folder <a href="#managed-directory-services" id="managed-directory-services"></a>

In this folder, you’ll create records for the AWS IAM accounts that you’ll rotate. You will create a **PAM User** record for each user that will be rotated.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FwC0l0QJfCl7AtOqW2D9W%2FScreenshot%202023-05-11%20at%204.30.18%20PM.jpg?alt=media&#x26;token=fe098b44-01f8-472d-8e4f-2053259d1ad6" alt=""><figcaption><p>Shared Folder containing PAM User records</p></figcaption></figure>

{% hint style="warning" %}
Note: The target user to be rotated must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
{% endhint %}

## 2. Create PAM User Record(s)

Keeper Rotation uses the AWS API to rotate the PAM User records in your AWS environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

<table><thead><tr><th width="213.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Keeper record title i.e. <code>AWS user: TestUser</code></td></tr><tr><td><strong>Login</strong></td><td>Case sensitive username of the account being rotated.</td></tr><tr><td><strong>Password</strong></td><td>Providing a password is optional. Performing a rotation will set one if this field is left blank.</td></tr><tr><td><strong>Distinguished</strong> <strong>Name</strong></td><td>This is the full ARN of the user identity, e.g: <code>arn:aws:iam::123456789:user/TestUser</code></td></tr></tbody></table>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FuKjUNtKp16pQFySlZHHF%2FScreenshot%202023-05-11%20at%204.26.22%20PM.jpg?alt=media&#x26;token=fff1581d-b7c7-487b-9d4a-27ee74cec4c9" alt=""><figcaption><p>PAM User records for IAM Users</p></figcaption></figure>

## 3. Set up PAM Configuration <a href="#managed-directory-services" id="managed-directory-services"></a>

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".\
\
The following table lists all the required fields on the **PAM Configuration** Record:

<table><thead><tr><th width="195">Field</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Configuration name, example: <code>AWS IAM Configuration</code></td><td></td></tr><tr><td><strong>Environment</strong></td><td>Select: <code>AWS</code></td><td></td></tr><tr><td><strong>Gateway</strong></td><td>Select the Gateway that is configured on the Keeper Secrets Manager application.</td><td></td></tr><tr><td><strong>Application</strong> <strong>Folder</strong></td><td>Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.</td><td></td></tr><tr><td><strong>AWS ID</strong></td><td>A unique ID for this instance of AWS. This is only for your reference and can be anything, but its recommended to be kept short<br>Ex: <code>AWS-DepartmentName</code></td><td></td></tr><tr><td><strong>Access Key ID</strong></td><td>Set this field to <code>USE_INSTANCE_ROLE</code> if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.</td><td></td></tr><tr><td><strong>Access Secret Key</strong></td><td>Set this field to <code>USE_INSTANCE_ROLE</code> if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.</td><td></td></tr></tbody></table>

For more details on all the configurable fields in the PAM Configuration record, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration).

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FUJdbTkl8X0VA8sIwhvUq%2FScreenshot%202023-05-11%20at%204.32.14%20PM.jpg?alt=media&#x26;token=97dc605c-92a2-432d-ba5f-48ef2dc903e8" alt=""><figcaption><p>PAM Configuration for AWS Environment</p></figcaption></figure>

## 4. Configure Rotation on the PAM User Records

Select the **PAM User** record(s) from Step 2, edit the record and open the "Password Rotation Settings".

* Select "IAM User" as the rotation method, since this uses AWS APIs.
* The "Rotation Settings" should use the PAM Configuration setup previously.
* Select the desired schedule and password complexity.
* Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FjNEMn58x89jzgFnG5A4X%2FScreenshot%202025-02-08%20at%2012.01.05%E2%80%AFPM.png?alt=media&#x26;token=df381b81-6570-4852-a749-2727ba1f8579" alt=""><figcaption><p>AWS IAM User Password</p></figcaption></figure>

Any user with `edit` rights to a PAM User record has the ability to setup rotation for that record.

Note: The user must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.