diff --git a/garage.go b/garage.go
index 4e23e8f..e8962ae 100644
--- a/garage.go
+++ b/garage.go
@@ -1,9 +1,12 @@
 package main
 
 import (
+    "errors"
+    "log"
 	"net/http"
     "context"
     "fmt"
+	"github.com/go-ldap/ldap/v3"
      garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
 )
 
@@ -21,26 +24,82 @@ func gadmin() (*garage.APIClient, context.Context) {
 }
 
 
-func createKey(name string) error {
+func grgCreateKey(name string) (*garage.KeyInfo, error) {
     client, ctx := gadmin()
 
     kr := garage.AddKeyRequest{Name: &name}
     resp, _, err := client.KeyApi.AddKey(ctx).AddKeyRequest(kr).Execute()
     if err != nil {
         fmt.Printf("%+v\n", err)
-        return err
+        return nil, err
     }
-    fmt.Printf("%+v\n", resp)
-    return nil
+    return resp, nil
+}
+
+func grgGetKey(accessKey string) (*garage.KeyInfo, error) {
+    client, ctx := gadmin()
+
+    resp, _, err := client.KeyApi.GetKey(ctx, accessKey).Execute()
+    if err != nil {
+        fmt.Printf("%+v\n", err)
+        return nil, err
+    }
+    return resp, nil
+}
+
+
+func checkLoginAndS3(w http.ResponseWriter, r *http.Request) (*LoginStatus, *garage.KeyInfo, error) {
+	login := checkLogin(w, r)
+	if login == nil {
+		return nil, nil, errors.New("LDAP login failed")
+	}
+
+	keyID := login.UserEntry.GetAttributeValue("garage_s3_access_key")
+    if keyID == "" {
+        keyPair, err := grgCreateKey(login.Info.Username)
+        if err != nil {
+            return login, nil, err
+        }
+		modify_request := ldap.NewModifyRequest(login.Info.DN, nil)
+		modify_request.Replace("garage_s3_access_key", []string{*keyPair.AccessKeyId})
+        // @FIXME compatibility feature for bagage (SFTP+webdav)
+        // you can remove it once bagage will be updated to fetch the key from garage directly
+        // or when bottin will be able to dynamically fetch it.
+		modify_request.Replace("garage_s3_secret_key", []string{*keyPair.SecretAccessKey})
+        err = login.conn.Modify(modify_request)
+        return login, keyPair, err
+    }
+    // Note: we could simply return the login info, but LX asked we do not 
+    // store the secrets in LDAP in the future.
+    keyPair, err := grgGetKey(keyID)
+    return login, keyPair, err
+}
+
+type keyView struct {
+	Status         *LoginStatus
+    Key            *garage.KeyInfo
 }
 
 func handleGarageKey(w http.ResponseWriter, r *http.Request) {
-    createKey("toto")
+    login, s3key, err := checkLoginAndS3(w, r)
+    if err != nil {
+        log.Println(err)
+        return
+    }
+    view := keyView{Status: login, Key: s3key}
+
     tKey := getTemplate("garage_key.html")
-	tKey.Execute(w, nil)
+	tKey.Execute(w, &view)
 }
 
 func handleGarageWebsiteList(w http.ResponseWriter, r *http.Request) {
+    login, s3key, err := checkLoginAndS3(w, r)    
+    if err != nil {
+        log.Println(err)
+        return
+    }
+    log.Println(login, s3key)
+
     tWebsiteList := getTemplate("garage_website_list.html")
 	tWebsiteList.Execute(w, nil)
 }
@@ -51,6 +110,13 @@ func handleGarageWebsiteNew(w http.ResponseWriter, r *http.Request) {
 }
 
 func handleGarageWebsiteInspect(w http.ResponseWriter, r *http.Request) {
+    login, s3key, err := checkLoginAndS3(w, r)
+    if err != nil {
+        log.Println(err)
+        return
+    }
+    log.Println(login, s3key)
+
     tWebsiteInspect := getTemplate("garage_website_inspect.html")
 	tWebsiteInspect.Execute(w, nil)
 }
diff --git a/main.go b/main.go
index 89051f5..0e47e73 100644
--- a/main.go
+++ b/main.go
@@ -255,6 +255,7 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
 			"mail",
 			"memberof",
 			"description",
+            "garage_s3_access_key",
 			FIELD_NAME_DIRECTORY_VISIBILITY,
 			FIELD_NAME_PROFILE_PICTURE,
 		},
diff --git a/templates/garage_key.html b/templates/garage_key.html
index 862aabd..b839fcb 100644
--- a/templates/garage_key.html
+++ b/templates/garage_key.html
@@ -22,11 +22,11 @@
             <tbody>
                 <tr>
                     <th scope="row">Identifiant de clé</th>
-                    <td>GKxxx</td>
+                    <td>{{ .Key.AccessKeyId }}</td>
                 </tr>
                 <tr>
                     <th scope="row">Clé secrète</th>
-                    <td>...</td>
+                    <td>{{ .Key.SecretAccessKey }}</td>
                 </tr>
                 <tr>
                     <th scope="row">Région</th>
@@ -62,8 +62,8 @@
                     <div class="card-body">
                         <p>Créez un fichier nommé <code>~/.awsrc</code> :</p>
                         <pre>
-export AWS_ACCESS_KEY_ID=GK...
-export AWS_SECRET_ACCESS_KEY=...
+export AWS_ACCESS_KEY_ID={{ .Key.AccessKeyId }}
+export AWS_SECRET_ACCESS_KEY={{ .Key.SecretAccessKey }}
 export AWS_DEFAULT_REGION='garage'
 
 function aws { command aws --endpoint-url https://garage.deuxfleurs.fr $@ ; }
@@ -97,8 +97,8 @@ aws s3 cp /tmp/a.txt s3://my-bucket
 mc alias set \
   garage \
   https://garage.deuxfleurs.fr \
-  GK... \
-  ... \
+  {{ .Key.AccessKeyId }} \
+  {{ .Key.SecretAccessKey }} \
   --api S3v4
                         </pre>
                         <p>Et ensuite pour utiliser Minio CLI avec :</p>
@@ -176,7 +176,7 @@ hugo deploy
             <tbody>
                 <tr>
                     <th scope="row">Nom d'utilisateur-ice</th>
-                    <td>(votre username guichet)</td>
+                    <td>{{ .Status.Info.Username }}</td>
                 </tr>
                 <tr>
                     <th scope="row">Mot de passe</th>
@@ -207,7 +207,7 @@ hugo deploy
                     <div class="card-body">
                         <p>Un exemple avec SCP :</p>
                         <pre>
-scp -oHostKeyAlgorithms=+ssh-rsa -P2222 -r ./public bagage.deuxfleurs.fr:mon_bucket/
+scp -oHostKeyAlgorithms=+ssh-rsa -P2222 -r ./public {{ .Status.Info.Username }}@bagage.deuxfleurs.fr:mon_bucket/
                         </pre>
                     </div>
                 </div>