# Manage API Keys

API Keys can't be updated or reassigned to another role. One can only create/list/delete them.

```bash
exo iam delete api-key EXO1234567890
```

Note that you should rather use the key's ID _EXO..._ instead of its name when deleting.

## Migrating Legacy Access Keys 

If you have been using our services for a while, you might have noticed old keys being labeled `Legacy` on the platform, known as Access Keys.

It is currently not possible to _migrate_ Access Keys, but you can reproduce an existing Access Key's behavior by creating a Role with a specific policy.

### Unrestricted Access Keys

This is the simple scenario: create a Role with default settings and API Keys to go along with it.

### Restricted Access Keys

Start by getting the Access Key's _Operations_.

```bash
exo iam access-key show EXO...
```

Output:

```bash
┼────────────────┼──────────────────────────────────────────────────┼
│ IAM ACCESS KEY │                                                  │
┼────────────────┼──────────────────────────────────────────────────┼
│ Name           │ my-legacy-access-key                             │
│ Type           │ restricted                                       │
│ API Key        │ EXOXXXXXXXXXXXXXXXXXXXXXXXX                      │
│ API Secret     │ *******************************************      │
│ Operations     │ create-load-balancer                             │
│                │ delete-load-balancer                             │
|                | list-dns-domain-records                          |
┼────────────────┼──────────────────────────────────────────────────┼
```

Create an initial `"default-service-strategy": "deny"` policy

```json
{
  "default-service-strategy": "deny",
  "services": {

  }
}
```

Classify operations by their service class by [referring to this document]({{< ref "/product/security/iam/reference/" >}}). Eg. `create-load-balancer` belongs to `compute`, and `list-dns-domain-records` belongs to `dns`.

For each service class, create a key in the policy under `"services"`, then populate it as such:

```json
{
  "default-service-strategy": "deny",
  "services": {
    "compute": {"type": "rules",
                "rules": [{"action": "allow"
                            "expression": "operation in ['create-load-balancer', 'delete-load-balancer']"}]},
    "dns":     {"type": "rules",
                "rules": [{"action": "allow"
                            "expression": "operation in ['list-dns-domain-records']"}]}
  }
}
```

Pass the finished policy to the CLI through STDIN.

```bash
cat policy.json | exo iam role create migrated-access-key-role --policy -
```

Finally, create an API Key referencing the role

```bash
exo iam api-key create migrated-my-legacy-access-key migrated-access-key-role
```