Loading...
Back

How to change the credentials from access key/secret key to AssumeRole

AWS WAF ClassicAWS WAF v2Old PlanNew PlanAdvancedLegacyUsage

Overview

This article explains how to switch to using AssumeRole (IAM Role) if you are currently using the access key/secret key (IAM User) as your credential information.

*It is not recommended to use an access key/secret key. We recommend using AssumeRole.

How to check the resources to be changed

You will be able to see the list of resources associated with the credential information that uses an access key/secret key under the [Used by the following resources] section if you click on the name of the credential information. Change the associated credential information for each resource listed to those of AssumeRole.

*If the [Credential Type] is listed as [Access Key], the selected credential information uses the access key/secret key.

For Advanced rule policy

[WAF Config] tab under [Used by the following resources] lists the name of WAF Configs associated with the credential information.

The tab will be unavailable if the Advanced rule policy WAF Configs are not associated with the credential information.

For Legacy rule policy

[(Legacy) WAF Config] tab under [Used by the following resources] lists the name of WAF Configs associated with the credential information.

The tab will be unavailable if the Legacy rule policy WAF Configs are not associated with the credential information.

In addition, you will be configuring the access log retrieval feature if you are using the Legacy rule policy. In such a case, you will also be able to see the list of Web Site Configs under the [(Legacy) Access log retrieval] tab in the [Used by the following resources] section.

How to change the associated credential information

Please create an IAM Role following the procedures in one of the pages below before changing the associated credential information.

  • How to configure Credential Store for AWS WAF v2 (new plan/MP ver.)
  • How to configure Credential Store for AWS WAF Classic/AWS WAF v2 (old plan)

For Advanced rule policy

  1. Click the WAF Config ID displayed under [Used by the following resources].
  2. Click the [Edit] button with the [Basic Configuration] tab opened.
  3. Select the credential information for the new IAM Role from the [Credential Store] drop-down menu.
  4. Click the [Add] button.
  5. Click the [Add] button again on the confirmation page.

Once you click the [Add] button, the resources will be revalidated, and rules will be reapplied. If the validation status returns an error, please see the Errors shown on each resource for AWS WAF Classic/AWS WAF v2 page to check the status.

For Legacy rule policy

You will be editing both WAF Config's credential information and Web Site Config's credential information.

  1. Open the list of WAF Configs.
  2. Click the WAF Config name based on the WAF Config name shown under the [Used by the following resources] section.
  3. Click the [Edit] button with the [Basic Configuration] tab opened.
  4. Select the credential information for the new IAM Role from the [Credential Store] drop-down menu.
  5. Click the [Add] button.
  6. Click the same WAF Config name once you are back on the list of WAF Configs.
  7. Click the [Edit] button with the [Log and Notification Configuration] tab opened.
  8. Click on the [Web Site Config] toggle.
  9. Select the credential information for the new IAM Role from the [Credential] drop-down menu.
  10. Click the [Add] button.
  11. Click the [Add] button again on the confirmation page.

If you have multiple Web Site Configs registered, please repeat steps 8 to 10 for each Web Site Config.