We have an existing synchronized AWS access key target account that we want to switch to a new key. But when we try to save the account with the new credentials we get the following error:

PAM-CM-3391: AWS Key Pair can be changed only by random generation

We don't see a call into AWS using either the old or the new key.

Release : 4.1

Unlike other types of target application, new credentials for an AWS access key are generated in AWS. They cannot be generated by PAM or entered manually by a PAM administrator. The common account update task works with two objects. One contains the old target account information, the other the new one. For accounts where PAM generates new credentials, or a PAM administrator enters new credentials on the PAM UI, the second object holds the new credentials. The AWS target connector compares both objects. If there is a mismatch, because the PAM Admin tried to update the target account with a different key, it will throw the PAM-CM-3391 error and not even try to connect to AWS.

A new access key has to be defined in a new target account. If the keys in your existing target account are not valid anymore, you will have to discard it and create a new target account.