AWS IAM - Safely concatenate generated Access Key ID and Secret Access Key

0
votes

I want to concatenate my Access Key ID and Secret Access Key together so I can easily rotate the credentials with Azure Key Vault. I'm having trouble finding out which characters will not be used by either the generated Access Key ID or the Secret Access Key to keep them separated in the concatenated string. Is it safe to use a semicolon or a colon?

Edit: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AccessKey.html indicates that the Access Key ID can contain any nonspace character, although I'm not sure if generated IDs are more limited in practice. Unfortunately, no guidelines are given for Secret Access Keys. Is a space a reasonable separator?

1
amazon-web-servicesaws-iam

1 Answers

2
votes

Amazon actually provide regular expressions for searching for access keys and secret access keys in this article, which we can use to tell what characters are used:

Search for access key IDs: (?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]). In English, this regular expression says: Find me 20-character, uppercase, alphanumeric strings that don’t have any uppercase, alphanumeric characters immediately before or after.

Search for secret access keys: (?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]). In English, this regular expression says: Find me 40-character, base-64 strings that don’t have any base 64 characters immediately before or after.

So letters and numbers in the access key and those plus the characters /+= could appear in the secret key. This means a semicolon or a colon would be safe choices for a separator.