This documentation is for Version 1 of the AWS CLI only. For documentation related to Version 2 of the AWS CLI, see the Version 2 User Guide.
Using IAM in the AWS CLI
An introduction to AWS Identity and Access Management |
---|
|
You can access the features of AWS Identity and Access Management (IAM) using the AWS Command Line Interface (AWS CLI). To list the AWS CLI commands for IAM, use the following command.
aws iam help
This topic shows examples of AWS CLI commands that perform common tasks for IAM.
Before you run any commands, set your default credentials. For more information, see Configuring settings for the AWS CLI.
For more information on the IAM service, see the AWS Identity and Access Management User Guide.
Topics
Creating IAM users and groups
To create a group and add a new user to it
-
Use the
create-group
command to create the group.$
aws iam create-group --group-name
MyIamGroup
{ "Group": { "GroupName": "MyIamGroup", "CreateDate": "2018-12-14T03:03:52.834Z", "GroupId": "AGPAJNUJ2W4IJVEXAMPLE", "Arn": "arn:aws:iam::123456789012:group/
MyIamGroup
", "Path": "/" } } -
Use the
create-user
command to create the user.$
aws iam create-user --user-name
MyUser
{ "User": { "UserName": "
MyUser
", "Path": "/", "CreateDate": "2018-12-14T03:13:02.581Z", "UserId": "AIDAJY2PE5XUZ4EXAMPLE", "Arn": "arn:aws:iam::123456789012:user/MyUser
" } } -
Use the
add-user-to-group
command to add the user to the group.$
aws iam add-user-to-group --user-name
MyUser
--group-nameMyIamGroup
-
To verify that the
MyIamGroup
group contains theMyUser
, use theget-group
command.$
aws iam get-group --group-name
MyIamGroup
{ "Group": { "GroupName": "
MyIamGroup
", "CreateDate": "2018-12-14T03:03:52Z", "GroupId": "AGPAJNUJ2W4IJVEXAMPLE", "Arn": "arn:aws:iam::123456789012:group/MyIamGroup
", "Path": "/" }, "Users": [ { "UserName": "MyUser
", "Path": "/", "CreateDate": "2018-12-14T03:13:02Z", "UserId": "AIDAJY2PE5XUZ4EXAMPLE", "Arn": "arn:aws:iam::123456789012:user/MyUser
" } ], "IsTruncated": "false" }
Attaching an IAM managed policy to a user
The policy in this example provides the user with "Power User Access".
To attach an IAM managed policy to a user
-
Determine the Amazon Resource Name (ARN) of the policy to attach. The following command uses
list-policies
to find the ARN of the policy with the namePowerUserAccess
. It then stores that ARN in an environment variable.$
export
POLICYARN
=$(aws iam list-policies --query 'Policies[?PolicyName==`PowerUserAccess`].{ARN:Arn}' --output text) ~$
echo $
POLICYARN
arn:aws:iam::aws:policy/PowerUserAccess
-
To attach the policy, use the
attach-user-policy
attach-user-policy
command, and reference the environment variable that holds the policy ARN. $
aws iam attach-user-policy --user-name
MyUser
--policy-arn $POLICYARN
-
Verify that the policy is attached to the user by running the
list-attached-user-policies
command.$
aws iam list-attached-user-policies --user-name
MyUser
{ "AttachedPolicies": [ { "PolicyName": "PowerUserAccess", "PolicyArn": "arn:aws:iam::aws:policy/PowerUserAccess" } ] }
For more information, see Access Management Resources. This topic provides links to an overview of permissions and policies, and links to examples of policies for accessing Amazon S3, Amazon EC2, and other services.
Setting an initial password for an IAM user
The following command uses
create-login-profile
to set an initial password on the specified user. When
the user signs in for the first time, the user is required to change the password to something
that only the user knows.
$
aws iam create-login-profile --user-name
MyUser
--passwordMy!User1Login8P@ssword
--password-reset-required{ "LoginProfile": { "UserName": "
MyUser
", "CreateDate": "2018-12-14T17:27:18Z", "PasswordResetRequired": true } }
You can use the update-login-profile
command to change the password for a user.
$
aws iam update-login-profile --user-name
MyUser
--passwordMy!User1ADifferentP@ssword
Creating an access key for an IAM user
You can use the
create-access-key
command to create an access key for a user. An
access key is a set of security credentials that consists of an access key ID and a secret key.
A user can create only two access keys at one time. If you try to create a third set, the
command returns a LimitExceeded
error.
$
aws iam create-access-key --user-name
MyUser
{ "AccessKey": { "UserName": "
MyUser
", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "Status": "Active", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "CreateDate": "2018-12-14T17:34:16Z" } }
Use the
delete-access-key
command to delete an access key for a user. Specify
which access key to delete by using the access key ID.
$
aws iam delete-access-key --user-name
MyUser
--access-key-id AKIAIOSFODNN7EXAMPLE