Share AWS Credentials

Securely share AWS access keys, secret keys, or IAM credentials with your team.

Why secure share aws credentials matters

An AWS access key pair is a 20-character ID beginning with AKIA (or ASIA for short-lived STS tokens) plus a 40-character secret. That pair authenticates every signed SDK request against IAM, EC2, S3, RDS, Lambda, and roughly 200 other services. Whatever the attached IAM policy permits, an attacker holding the pair can do — including jumping into other AWS accounts when a trust relationship is loose enough to allow it.

GitHub, Pastebin, public S3 indexes, and npm postinstall scripts are continuously crawled by AKIA-pattern scanners. Truffle Security and the AWS Trust and Safety team report that an exposed AKIA pair is typically used within four minutes of going public, with sts:GetCallerIdentity probes following in seconds. The classic outcome is a fleet of c5.24xlarge miners across every region before Fraud Detection trips.

PasteOnce fits the moment a static AKIA pair genuinely must move — bootstrapping a CI runner, handing a break-glass credential to an on-call SRE, or seeding a vendor before federation is wired up. Encryption happens in your browser, the recipient reads once, the ciphertext is purged. Pair every transfer with `aws iam update-access-key --status Inactive`, and budget the credential as already leaked.

What goes wrong when share aws credentials is shared insecurely

AKIA scanners harvest within minutes. GitHub Secret Scanning, GitGuardian, and many botnets continuously regex for AKIA[0-9A-Z]{16}. A commit, an Imgur screenshot, or a paste into the wrong window is fingerprinted and replayed against AWS in roughly the time it takes to brew coffee.
Cross-account assume-role escalation. If the leaked principal has sts:AssumeRole on a role with an overly broad trust policy (Principal: arn:aws:iam::*:root, no ExternalId, no MFA condition), blast radius reaches every linked org member.
CloudTrail blind spots in S3 data events. Default CloudTrail captures management events but not S3 object-level GetObject or PutObject calls. An attacker exfiltrating a bucket leaves no trace unless S3 data events or Config aggregation are enabled — leak detection then lags exfiltration by days.
Static keys outlive their owner. Long-lived AKIA pairs survive the contractor or employee who created them. IAM Credential Reports routinely list keys older than 1,000 days — each a forgotten string in an old laptop, Notion page, or stale Bitbucket pipeline variable.

Share AWS Credentials

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does share aws credentials work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share aws credentials

Prefer aws sts assume-role over static pairs

Issue federated, time-bounded credentials by configuring a role with a trust policy and calling `aws sts assume-role --role-arn ... --duration-seconds 3600`. The resulting ASIA token expires automatically, eliminating the lifecycle problem static AKIAs create.

Enforce MFA in policy Condition blocks

Add `"Bool": {"aws:MultiFactorAuthPresent": "true"}` and `"NumericLessThan": {"aws:MultiFactorAuthAge": "3600"}` on sensitive actions. An exposed AKIA without the matching MFA device cannot perform iam:*, ec2:RunInstances, or any other guarded operation.

Lock keys to a sourceIp range

Apply `"IpAddress": {"aws:SourceIp": ["203.0.113.0/24"]}` on the policy. The pasted credential becomes useless from any address outside the office NAT, your VPN concentrator, or the CI provider's documented egress block.

Cap exposure with AWS Budgets alarms

Set a Budgets alarm at $50 of unexpected spend with an SNS topic that pages on-call. A successful compromise is bounded by the gap between exfiltration and the first GPU launch — long enough for the alarm to fire.

Related Secure Sharing Tools

Share API Key Securely Share SSH Private Key Share .env Variables Share Database Credentials Share Software License Key Share Encryption Keys Share VPN Credentials Share Private Keys Securely

Real situations this is built for

Bootstrapping a self-hosted GitHub Actions runner

Before OIDC federation is wired in, an SRE seeds the runner with a deploy credential. They send the AKIA/secret through PasteOnce to the runner admin, who stores it as a repository secret, runs one workflow, then swaps to a GitHub-OIDC `AssumeRoleWithWebIdentity` configuration.

Break-glass admin during a Control Tower lockout

An Identity Center misconfiguration locks engineering out of the management account at 11pm. The on-call principal pulls the sealed root-account credential from the safe, transmits the secret half via PasteOnce to whoever is repairing the SSO permission set, then rotates once federation returns.

Vendor seeding a cross-account integration

A SaaS observability vendor needs initial credentials before their CloudFormation StackSet provisions a read-only role. The customer mints a scoped IAM user, hands the secret across PasteOnce, the onboarding script runs once, and Terraform deletes the user that same day.

Migrating from IAM users to Identity Center

A platform team sunsets 47 long-lived IAM users in favor of Identity Center (formerly AWS SSO). Each developer receives a final short-lived credential via PasteOnce, runs `aws configure sso` once, then the underlying user is hard-deleted.

Frequently Asked Questions

Is it ever safe to paste a long-lived AKIA key?

Only when no federated path exists yet — initial account bootstrap, a vendor's first integration, or break-glass recovery. Outside those cases, hand off an `aws sts assume-role` session token or wire up Identity Center; the static pair is debt the moment you create it.

How do I revoke a leaked AWS access key fast?

Run `aws iam update-access-key --access-key-id AKIA... --status Inactive` (effective within seconds across all regions), then `aws iam delete-access-key`. Follow with a CloudTrail lookup on the principal across the last 24 hours and check GuardDuty for `UnauthorizedAccess:IAMUser/*` findings.

Do I have to send both the access key ID and the secret?

Yes — Signature Version 4 needs both halves to sign requests. Some operators split them: AKIA over chat, secret over PasteOnce. That raises the bar for single-channel interception, though it adds friction with no cryptographic guarantee.

What about temporary credentials from STS — can I share those?

An ASIA token plus its session string is safe to relay through PasteOnce because expiration is enforced by AWS itself; an intercepted link past its TTL is already invalid. For roles assumed with `--duration-seconds 900`, the practical exposure window approaches zero.

Why secure share aws credentials matters

What goes wrong when share aws credentials is shared insecurely

AKIA scanners harvest within minutes. GitHub Secret Scanning, GitGuardian, and many botnets continuously regex for AKIA[0-9A-Z]{16}. A commit, an Imgur screenshot, or a paste into the wrong window is fingerprinted and replayed against AWS in roughly the time it takes to brew coffee.

Cross-account assume-role escalation. If the leaked principal has sts:AssumeRole on a role with an overly broad trust policy (Principal: arn:aws:iam::*:root, no ExternalId, no MFA condition), blast radius reaches every linked org member.

CloudTrail blind spots in S3 data events. Default CloudTrail captures management events but not S3 object-level GetObject or PutObject calls. An attacker exfiltrating a bucket leaves no trace unless S3 data events or Config aggregation are enabled — leak detection then lags exfiltration by days.

Static keys outlive their owner. Long-lived AKIA pairs survive the contractor or employee who created them. IAM Credential Reports routinely list keys older than 1,000 days — each a forgotten string in an old laptop, Notion page, or stale Bitbucket pipeline variable.

How does share aws credentials work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share aws credentials

Prefer aws sts assume-role over static pairs

Enforce MFA in policy Condition blocks

Lock keys to a sourceIp range

Cap exposure with AWS Budgets alarms

Real situations this is built for

Bootstrapping a self-hosted GitHub Actions runner

Break-glass admin during a Control Tower lockout

Vendor seeding a cross-account integration

Migrating from IAM users to Identity Center

Frequently Asked Questions

Is it ever safe to paste a long-lived AKIA key?

How do I revoke a leaked AWS access key fast?

Do I have to send both the access key ID and the secret?

What about temporary credentials from STS — can I share those?