IAM User

Rotating AWS IAM account passwords with Keeper


In this guide, you will learn how to rotate passwords for AWS IAM users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the AWS IAM user accounts to be rotated are stored in the PAM User record.

For a high-level overview on the rotation process in the AWS cloud environment, visit this page.


This guide assumes the following tasks have already taken place:

  • Keeper Secrets Manager is enabled for your enterprise and your role

  • Keeper Rotation is enabled for your role

  • A Keeper Secrets Manager application has been created

  • A Keeper Rotation gateway is already installed and running

  • Your AWS environment is configured per our documentation

The Keeper Gateway uses AWS APIs to rotate the credentials defined in the PAM User records.

1. Create Shared Folder

In this folder, you’ll create records for the AWS IAM accounts that you’ll rotate. You will create a PAM User record for each user that will be rotated.

2. Create PAM User Records

Keeper Rotation uses the AWS API to rotate the PAM User records in your AWS environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:



Keeper record title i.e. AWS user: TestUser


Case sensitive username of the account being rotated. This is the last section of the ARN: ...:user/TestUser


Providing a password is optional. Performing a rotation will set one if this field is left blank.

Distinguished Name

This is the full ARN of the user identity, e.g: arn:aws:iam::123456789:user/TestUser

3. Set up PAM Configuration

Note: You can skip this step if you already have a PAM configuration set up.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:



Configuration name, example: AWS IAM Configuration


Select: AWS


Select the Gateway that is configured on the Keeper Secrets Manager application.

Application Folder

Select the Shared folder from Step 1 that contains the PAM User record(s) which will be rotated.

Admin Credentials Record

This is not required for IAM User rotations. It may be required for other use cases.


A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short Ex: AWS-1

Access Key ID

Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.

Access Secret Key

Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.

For more details on all the configurable fields in the PAM Network Configuration record, visit this page.

4. Configure Rotation on the PAM User Records

Select the PAM User record(s) from Step 2, edit the record and open the "Password Rotation Settings".

  • Select the desired schedule and password complexity.

  • The "Rotation Settings" should use the PAM Configuration setup previously.

  • The "Resource Credential" field is not needed

  • Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

Note: The user must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.

Last updated