Programmatic Identities
Access keys are credentials for programmatic identities. A programmatic identity is the non-human actor in IAM; an access key is one way for that identity to authenticate. Trust policies apply to the programmatic identity, not to the credential itself.
A programmatic identity starts with no permissions. You configure the trust policy on the trust to grant it access to the resources it needs. Access keys do not themselves carry IAM scope; they authenticate as the programmatic identity whose trust relationships and policies define what it may do.
Common examples
Full access to a specific database
The most common setup: give a programmatic identity permission to run any command against a single database, then authenticate as that identity using an access key.
Full access to all databases in the organisation
Use a wildcard resource to grant a programmatic identity access to every database the organisation owns, including ones created in the future.
kvdb/* as a resource grants access to all current and future databases in your organisation. Only use this when that scope is intentional.Read-only access to a database
Allow a programmatic identity to read data but not write or delete anything.
Access to multiple databases
Grant a programmatic identity access to two specific databases in a single statement.
Least privilege
We recommend following the principle of least privilege: grant programmatic identities only the permissions they actually need, scoped to the specific databases they should be able to reach.
- Prefer
kvdb/<id>overkvdb/*unless your application genuinely needs access to all databases. - Use
Denystatements to explicitly block destructive operations likekvdb:ExecuteFlushalleven if you're granting broad access. - Create separate programmatic identities for separate services, then attach credentials to each identity rather than sharing one broad machine actor.