# IAM User Password

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FHNHUe16FtIGdUgdUNlBe%2FIAM%20User.jpg?alt=media&#x26;token=e97f24e1-a1f4-42bb-898d-2abc25c90e62" alt=""><figcaption></figcaption></figure>

## Overview

In this guide, you will learn how to rotate passwords for AWS IAM users. In Keeper, the **PAM Configuration** contains all of the information needed to rotate passwords. The record containing the AWS IAM user accounts to be rotated are stored in the **PAM User** record.

## Prerequisites

This guide assumes the following tasks have already taken place:

* Keeper Secrets Manager is enabled for your [role](https://docs.keeper.io/en/keeperpam/getting-started/enforcement-policies#secrets-manager)
* Keeper Rotation is enabled for your [role](https://docs.keeper.io/en/keeperpam/getting-started/enforcement-policies#keeper-rotation)
* A Keeper Secrets Manager [application](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/applications) has been created
* A Keeper Rotation [gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) is already installed and running
* Your AWS environment is [configured](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration/aws-environment-setup) per our documentation

The Keeper Gateway uses AWS APIs to rotate the credentials defined in the **PAM User** records.

## 1. Create Shared Folder <a href="#managed-directory-services" id="managed-directory-services"></a>

In this folder, you’ll create records for the AWS IAM accounts that you’ll rotate. You will create a **PAM User** record for each user that will be rotated.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FwC0l0QJfCl7AtOqW2D9W%2FScreenshot%202023-05-11%20at%204.30.18%20PM.jpg?alt=media&#x26;token=fe098b44-01f8-472d-8e4f-2053259d1ad6" alt=""><figcaption><p>Shared Folder containing PAM User records</p></figcaption></figure>

{% hint style="warning" %}
Note: The target user to be rotated must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
{% endhint %}

## 2. Create PAM User Record(s)

Keeper Rotation uses the AWS API to rotate the PAM User records in your AWS environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

<table><thead><tr><th width="213.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Keeper record title i.e. <code>AWS user: TestUser</code></td></tr><tr><td><strong>Login</strong></td><td>Case sensitive username of the account being rotated.</td></tr><tr><td><strong>Password</strong></td><td>Providing a password is optional. Performing a rotation will set one if this field is left blank.</td></tr><tr><td><strong>Distinguished</strong> <strong>Name</strong></td><td>This is the full ARN of the user identity, e.g: <code>arn:aws:iam::123456789:user/TestUser</code></td></tr></tbody></table>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FuKjUNtKp16pQFySlZHHF%2FScreenshot%202023-05-11%20at%204.26.22%20PM.jpg?alt=media&#x26;token=fff1581d-b7c7-487b-9d4a-27ee74cec4c9" alt=""><figcaption><p>PAM User records for IAM Users</p></figcaption></figure>

## 3. Set up PAM Configuration <a href="#managed-directory-services" id="managed-directory-services"></a>

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".\
\
The following table lists all the required fields on the **PAM Configuration** Record:

<table><thead><tr><th width="195">Field</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Configuration name, example: <code>AWS IAM Configuration</code></td><td></td></tr><tr><td><strong>Environment</strong></td><td>Select: <code>AWS</code></td><td></td></tr><tr><td><strong>Gateway</strong></td><td>Select the Gateway that is configured on the Keeper Secrets Manager application.</td><td></td></tr><tr><td><strong>Application</strong> <strong>Folder</strong></td><td>Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.</td><td></td></tr><tr><td><strong>AWS ID</strong></td><td>A unique ID for this instance of AWS. This is only for your reference and can be anything, but its recommended to be kept short<br>Ex: <code>AWS-DepartmentName</code></td><td></td></tr><tr><td><strong>Access Key ID</strong></td><td>Set this field to <code>USE_INSTANCE_ROLE</code> if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.</td><td></td></tr><tr><td><strong>Access Secret Key</strong></td><td>Set this field to <code>USE_INSTANCE_ROLE</code> if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.</td><td></td></tr></tbody></table>

For more details on all the configurable fields in the PAM Configuration record, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration).

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FUJdbTkl8X0VA8sIwhvUq%2FScreenshot%202023-05-11%20at%204.32.14%20PM.jpg?alt=media&#x26;token=97dc605c-92a2-432d-ba5f-48ef2dc903e8" alt=""><figcaption><p>PAM Configuration for AWS Environment</p></figcaption></figure>

## 4. Configure Rotation on the PAM User Records

Select the **PAM User** record(s) from Step 2, edit the record and open the "Password Rotation Settings".

* Select "IAM User" as the rotation method, since this uses AWS APIs.
* The "Rotation Settings" should use the PAM Configuration setup previously.
* Select the desired schedule and password complexity.
* Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FjNEMn58x89jzgFnG5A4X%2FScreenshot%202025-02-08%20at%2012.01.05%E2%80%AFPM.png?alt=media&#x26;token=df381b81-6570-4852-a749-2727ba1f8579" alt=""><figcaption><p>AWS IAM User Password</p></figcaption></figure>

Any user with `edit` rights to a PAM User record has the ability to setup rotation for that record.

Note: The user must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/aws/iam-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.