Managing passwords for IAM users - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing passwords for IAM users

IAM users who use the Amazon Web Services Management Console to work with Amazon resources must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your Amazon account.

After you have assigned a password to a user, the user can sign in to the Amazon Web Services Management Console using the sign-in URL for your account, which looks like this:

https://12-digit-Amazon-account-ID or alias.signin.amazonaws.cn/console

For more information about how IAM users sign in to the Amazon Web Services Management Console, see How to sign in to Amazon in the Amazon Sign-In User Guide.

Even if your users have their own passwords, they still need permissions to access your Amazon resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see IAM Identities (users, user groups, and roles). For information about using policies to set permissions, see Changing permissions for an IAM user.

You can grant users permission to change their own passwords. For more information, see Permitting IAM users to change their own passwords. For information about how users access your account sign-in page, see How to sign in to Amazon in the Amazon Sign-In User Guide.

Creating, changing, or deleting an IAM user password (console)

You can use the Amazon Web Services Management Console to manage passwords for your IAM users.

When users leave your organization or no longer need Amazon access, it is important to find the credentials that they were using and ensure that they are no longer operational. Ideally, you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least, you should change the credentials so that the former users no longer have access.

To add a password for an IAM user (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to create.

  4. Choose the Security credentials tab, and then under Console sign-in, choose Enable console access.

  5. In Manage console access, for Console access choose Enable if not already selected. If console access is disabled, then no password is needed.

  6. For Set password, choose whether to have IAM generate a password or create a custom password:

    • To have IAM generate a password, choose Autogenerated password.

    • To create a custom password, choose Custom password, and type the password.

      Note

      The password that you create must meet the account's password policy.

  7. To require the user to create a new password when signing in, choose User must create a new password at next sign-in. Then choose Apply.

    Important

    If you select the User must create a new password at next sign-in option, make sure that the user has permission to change his or her password. For more information, see Permitting IAM users to change their own passwords.

  8. If you choose the option to generate a password, choose Show in the Console password dialog box. This lets you view the password so you can share it with the user.

    Important

    For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.

To change the password for an IAM user (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to change.

  4. Choose the Security credentials tab, and then under Console sign-in, choose Manage console access.

  5. In Manage console access, for Console access choose Enable if not already selected. If console access is disabled, then no password is needed.

  6. For Set password, choose whether to have IAM generate a password or create a custom password:

    • To have IAM generate a password, choose Autogenerated password.

    • To create a custom password, choose Custom password, and type the password.

      Note

      The password that you create must meet the account's password policy, if one is currently set.

  7. To require the user to create a new password when signing in, choose User must create a new password at next sign-in. Then choose Apply.

    Important

    If you select the User must create a new password at next sign-in option, make sure that the user has permission to change his or her password. For more information, see Permitting IAM users to change their own passwords.

  8. If you choose the option to generate a password, choose Show in the Console password dialog box. This lets you view the password so you can share it with the user.

    Important

    For security reasons, you cannot access the password after completing this step, but you can create a new password at any time.

To delete (disable) an IAM user password (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose password you want to delete.

  4. Choose the Security credentials tab, and then under Console sign-in, choose Manage console access.

  5. For Console access, choose Disable, and then choose Apply.

Important

You can prevent an IAM user from accessing the Amazon Web Services Management Console by removing their password. This prevents them from signing in to the Amazon Web Services Management Console using their sign-in credentials. It does not change their permissions or prevent them from accessing the console using an assumed role. If the user has active access keys, they continue to function and allow access through the Amazon CLI, Tools for Windows PowerShell, Amazon API, or the Amazon Console Mobile Application.

Creating, changing, or deleting an IAM user password (Amazon CLI)

You can use the Amazon CLI API to manage passwords for your IAM users.

To create a password (Amazon CLI)
  1. (Optional) To determine whether a user has a password, run this command: aws iam get-login-profile

  2. To create a password, run this command: aws iam create-login-profile

To change a user's password (Amazon CLI)
  1. (Optional) To determine whether a user has a password, run this command: aws iam get-login-profile

  2. To change a password, run this command: aws iam update-login-profile

To delete (disable) a user's password (Amazon CLI)
  1. (Optional) To determine whether a user has a password, run this command: aws iam get-login-profile

  2. (Optional) To determine when a password was last used, run this command: aws iam get-user

  3. To delete a password, run this command: aws iam delete-login-profile

Important

When you delete a user's password, the user can no longer sign in to the Amazon Web Services Management Console. If the user has active access keys, they continue to function and allow access through the Amazon CLI, Tools for Windows PowerShell, or Amazon API function calls. When you use the Amazon CLI, Tools for Windows PowerShell, or Amazon API to delete a user from your Amazon Web Services account, you must first delete the password using this operation. For more information, see Deleting an IAM user (Amazon CLI).

Creating, changing, or deleting an IAM user password (Amazon API)

You can use the Amazon API to manage passwords for your IAM users.

To create a password (Amazon API)
  1. (Optional) To determine whether a user has a password, call this operation: GetLoginProfile

  2. To create a password, call this operation: CreateLoginProfile

To change a user's password (Amazon API)
  1. (Optional) To determine whether a user has a password, call this operation: GetLoginProfile

  2. To change a password, call this operation: UpdateLoginProfile

To delete (disable) a user's password (Amazon API)
  1. (Optional) To determine whether a user has a password, run this command: GetLoginProfile

  2. (Optional) To determine when a password was last used, run this command: GetUser

  3. To delete a password, run this command: DeleteLoginProfile

Important

When you delete a user's password, the user can no longer sign in to the Amazon Web Services Management Console. If the user has active access keys, they continue to function and allow access through the Amazon CLI, Tools for Windows PowerShell, or Amazon API function calls. When you use the Amazon CLI, Tools for Windows PowerShell, or Amazon API to delete a user from your Amazon Web Services account, you must first delete the password using this operation. For more information, see Deleting an IAM user (Amazon CLI).