Create an IAM user for workloads that can't use IAM roles - Amazon Identity and Access Management
Create an IAM user and user group (Amazon CLI)More information
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create an IAM user for workloads that can't use IAM roles

Important

As a best practice, we recommend that you require your human users to use temporary credentials when accessing Amazon. You can use an identity provider for your human users to provide federated access to Amazon Web Services accounts by assuming roles, which provide temporary credentials. For centralized access management, we recommend that you use Amazon IAM Identity Center (IAM Identity Center) to manage access to your accounts and permissions within those accounts. You can create and manage your user identities, including your administrative user, with IAM Identity Center. If you are using an external identity provider, you can also configure the access permissions for user identities in IAM Identity Center. For more information, see What is Amazon IAM Identity Center in the Amazon IAM Identity Center User Guide.

There are specific use cases that require long-term credentials with IAM users in Amazon. You can use IAM to create these IAM users under the umbrella of your Amazon account, and use IAM to manage their permissions. Some use cases include the following:

  • Workloads that can't use IAM roles

  • Third-party Amazon clients

  • Amazon CodeCommit access

  • Amazon Keyspaces (for Apache Cassandra) access

  • Amazon IAM Identity Center isn't available for your account and you have no other identity provider

As a best practice in scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you establish procedures to update access keys when needed. For more information, see Updating access keys.

To perform some account and service management tasks, you must sign in using root user credentials. To view the tasks that require you to sign in as the root user, see Tasks that require root user credentials.

This procedure describes how to use the Amazon Web Services Management Console to create an IAM user for workloads that can't use IAM roles and add it to a user group. Before performing this procedure, sign in using an account with administrator permissions.

To create an IAM user for a workload (console)

  1. To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the Amazon access portal in the Amazon Sign-In User Guide.

    Alternatively, sign in to the IAM console using an account with administrator permissions. On the next page, enter your password.

  2. In the navigation pane, choose Users and then choose Create users.

  3. On the Specify user details page, do the following:

    1. For User name, type WorkloadName. Replace WorkloadName with the name of the workload that will be using the account.

    2. Choose Next.

  4. (Optional) On the Set Permissions page, do the following:

    1. Choose Add user to group.

    2. Choose Create group.

    3. In the Create user group dialog box, for User group name type a name that represents the use of the workloads in the group. For this example, use the name Automation.

    4. Under Permissions policies select the checkbox for the PowerUserAccess managed policy.

      Tip

      Enter Power into the Permissions policies search box to quickly find the managed policy.

    5. Choose Create user group.

    6. Back on the page with the list of user groups, select the checkbox for your new user group. Choose Refresh if you don't see the new user group in the list.

    7. Choose Next.

  5. (Optional) In the Tags section, add metadata to the user by attaching tags as key-value pairs. For more information, see Tagging IAM resources.

  6. Verify the user group memberships for the new user. When you are ready to proceed, choose Create user.

  7. A status notification appears informing you that the user was created successfully. Select View user to go to the user details page

  8. Select the Security credentials tab. Then create the credentials needed for the workload.

    • Access keys–Select Create access key to generate and download access keys for the user.

      Important

      This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the Amazon API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

    • SSH public keys for Amazon CodeCommit–Select Upload SSH public key to upload an SSH public key so that the user can communicate with CodeCommit repositories over SSH.

    • HTTPS Git credentials for Amazon CodeCommit–Select Generate credentials to generate a unique set of user credentials to use with Git repositories. Select Download credentials to save the user name and password to a .csv file. This is the only time that information is available. If you forget or lose the password you will need to reset it.

    • Credentials for Amazon Keyspaces (for Apache Cassandra)–Select Generate credentials to generate a service-specific user credentials to use with Amazon Keyspaces. Select Download credentials to save the user name and password to a .csv file. This is the only time that information is available. If you forget or lose the password you will need to reset it.

      Important

      Service-specific credentials are long-term credentials associated with a specific IAM user and can only be used for the service they were created for. To give IAM roles or federated identities permissions to access all your Amazon resources using temporary credentials, use Amazon authentication with the SigV4 authentication plugin for Amazon Keyspaces. For more information see, Using temporary credentials to connect to Amazon Keyspaces (for Apache Cassandra) using an IAM role and the SigV4 plugin in the Amazon Keyspaces (for Apache Cassandra) Developer Guide.

    • X.509 Signing certificates–Select Create X.509 Certificate if you need to make secure SOAP-protocol requests and are in a Region that's not supported by Amazon Certificate Manager. ACM is the preferred tool to provision, manage, and deploy your server certificates. For more information about using ACM, see the Amazon Certificate Manager User Guide.

You have created a user with programmatic access and configured it with the PowerUserAccess job function. This user's permissions policy grants full access to every service except for IAM and Amazon Organizations.

You can use this same process to give additional workloads programmatic access to your Amazon Web Services account resources, if the workloads are unable to assume IAM roles. This procedure used the PowerUserAccess managed policy to assign permissions. To follow the best practice of least privilege, consider using a more restrictive policy or creating a custom policy that restricts access to only resources required by the program. To learn about using policies that restrict user permissions to specific Amazon resources, see Access management for Amazon resources and Example IAM identity-based policies. To add additional users to the user group after it's created, see Adding and removing users in an IAM user group.

Create an IAM user and user group (Amazon CLI)

If you followed the steps in the previous section, you used the Amazon Web Services Management Console to set up an automation user group while creating the IAM user in your Amazon Web Services account. This procedure shows an alternative way to create a user group and add an existing user to the group.

Overview: Setting up an automation user group

  1. Create a user group and give it a name (for example, Automation ). For more information, see Create a user group (Amazon CLI).

  2. Attach a policy that gives the user group Power User permissions—That gives it full access to every service except for IAM and Amazon Organizations. For more information, see Attach a policy to the user group (Amazon CLI).

  3. Add at least one user to the user group. For more information, see Creating an IAM user in your Amazon Web Services account.

Create a user group (Amazon CLI)

This section shows how to create a user group in the IAM system.

Requirements

Install the Amazon Command Line Interface (Amazon CLI). For more information, see Installing the Amazon CLI in the Amazon Command Line Interface User Guide.

To create an automation user group (Amazon CLI)

  1. Type the aws iam create-group command with the name you've chosen for the user group. Optionally, you can include a path as part of the user group name. For more information about paths, see Friendly names and paths. The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be a maximum of 128 characters in length.

    In this example, you create a user group named Automation. 

    aws iam create-group --group-name Admins
{
    "Group": {
        "Path": "/", 
        "CreateDate": "2014-06-05T20:29:53.622Z", 
        "GroupId":"ABCDEFGHABCDEFGHABCDE",
        "Arn": "arn:aws-cn:iam::123456789012:group/Admins", 
        "GroupName": "Automation"
    }
}

  2. Type the aws iam list-groups command to list the user groups in your Amazon Web Services account and confirm the user group was created.

    aws iam list-groups
{
    "Groups": [
        {
            "Path": "/", 
            "CreateDate": "2014-06-05T20:29:53.622Z", 
            "GroupId":"ABCDEFGHABCDEFGHABCDE", 
            "Arn": "arn:aws-cn:iam::123456789012:group/Admins", 
            "GroupName": "Automation"
        }
    ]
}

    The response includes the Amazon Resource Name (ARN) for your new user group. The ARN is a standard format that Amazon uses to identify resources. The 12-digit number in the ARN is your Amazon Web Services account ID. The friendly name you assigned to the user group (Automation) appears at the end of the user group's ARN.

Attach a policy to the user group (Amazon CLI)

In the console tutorial, the managed policy was attached when the group was create. However, if you used the CLI or SDK to create the group, the group hasn't been granted any permissions yet. This section shows how to use the CLI to attach the Amazon managed policy called PowerUserAccess to the Automation user group. For more information about policies, see Access management for Amazon resources.

To add a policy giving PowerUserAccess permissions (Amazon CLI)

  1. Type the aws iam attach-group-policy command to attach the policy called AdministratorAccess to your Automation user group. The command uses the ARN of the Amazon managed policy called PowerUserAccess. 

    aws iam attach-group-policy --group-name Automation --policy-arn arn:aws-cn:iam::aws:policy/PowerUserAccess

    If the command is successful, there is no response.

  2. Type the aws iam list-attached-group-policies command to confirm the policy is attached to the Automation user group.

    aws iam list-attached-group-policies --group-name Automation

    The response lists the names of the policies attached to the Automation user group. A response like the following tells you that the policy named PowerUserAccess has been attached to the Automation user group:

    {
    "AttachedPolicies": [
        {
            "PolicyName": "PowerUserAccess",
            "PolicyArn": "arn:aws-cn:iam::aws:policy/PowerUserAccess"
        }
    ],
    "IsTruncated": false
}

You can confirm the contents of a particular policy with the aws iam get-policy command.

Add a user to an existing group (Amazon CLI)

After you have a group set up, you must add at least one user to it.

To add a user to an IAM group (CLI)

  1. Type the aws iam add-user-to-group command including the group-name and the user-name options as shown in the following example:

    
            aws iam add-user-to-group \
                --user-name Workload1 \
                --group-name Automation

  2. The command produces no output, to confirm that the user was added to the group, type the aws iam list-groups-for-user command including the user-name option as shown in the following example: 

    
            aws iam list-groups-for-user \
                --user-name Workload1 \

    The command will output the group the user belongs to, similar to the following example:

    {
    "Groups": [
        {
            "Path": "/",
            "CreateDate": "2024-06-06T01:18:08Z",
            "GroupId": "AKIAIOSFODNN7EXAMPLE",
            "Arn": "arn:aws:iam::123456789012:group/Automation",
            "GroupName": "Admin"
        }

    ]
}

Reduce the user group permissions

Members of the Automation user group have full access to all services except those that provide user management actions (like IAM and Organizations). After a predefined sample period of activity (such as 90 days) has passed, you can review the services that your user group members have accessed. Then you can create a new customer managed policy with reduced permissions to replace the PowerUserAccess policy. The new policy should include only the services that were accessed during the sample period. Update the group to remove the PowerUserAccess managed policy and attach the new customer managed policy you created. The following procedure steps through the process using the Automationgroup creating earlier in the tutorial.

For more information about the last accessed information, see Refining permissions in Amazon using last accessed information.

Review last accessed information

Wait for a predefined period of activity (such as 90 days) to pass. Then review the last accessed information for your users or user groups to learn when they last attempted to access the services that your PowerUserAccess policy allows.

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose User groups and then choose the Automation group name.

  3. On the user group summary page, choose the Access Advisor tab.

    The table of last accessed information shows when the user group members last attempted to access each service, in chronological order from the most recent attempt. The table includes only the services that the policy allows. In this case, the PowerUserAccess policy allows access to all Amazon services.

  4. Review the table and make a list of the services that your user group members have recently accessed.

    For example, assume that within the last month, your automation team has accessed only the Amazon EC2 and Amazon S3 services. But six months ago, they accessed Amazon EC2 Auto Scaling and IAM. You know that they were investigating EC2 Auto Scaling, but decided that it wasn't necessary. You also know that they used IAM to create a role to allow Amazon EC2 to access data in an S3 bucket. So you decide to scale back the automation user's permissions to allow access to only the services used in the last month

Generate a policy with reduced permissions

You can use the access activity of a user or a role to generate a customer managed policy to allow access to only the services that your users need. For this example, we're going to use the Workload1 user as the basis of the new permissions policy

To generate a policy to allow access to only necessary services

  1. In the navigation pane, choose Users and then choose the Workload1 user name to go to the user details page.

  2. On Permissions tab, under Generate policy based on CloudTrail events, choose Generate policy.

  3. On the Generate policy page, configure the following items:

    • For Select time period, choose Last 30 days.

    • For CloudTrail trail to be analyzed, select the Region and trail where this user's activity is recorded.

    • Chose Create and use a new service roled.

  4. Choose Generate policy then wait until the role is created. Don't refresh or navigate away from the console page until the Policy generation in progress notification message appears.

  5. The policy is generated, however you must review and customize it as needed as the automatically generated policy might not include the action-level information need to complete the policy. For more information see, IAM Access Analyzer policy generation.

    For example, you might edit the first statement that includes the Allow effect and the NotAction element to allow only Amazon EC2 and Amazon S3 actions. To do this, replace it with the statement with the FullAccessToSomeServices ID. Your new policy could look like the following example policy.

    {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "FullAccessToSomeServices",
          "Effect": "Allow",
          "Action": [
              "ec2:*",
              "s3:*"
          ],
          "Resource": "*"
      },
      {
          "Effect": "Allow",
          "Action": [
              "iam:CreateServiceLinkedRole",
              "iam:DeleteServiceLinkedRole",
              "iam:ListRoles",
              "organizations:DescribeOrganization"
          ],
          "Resource": "*"
      }
  ]
}

  6. To support the best practice of granting least privilege, review and correct any errors, warnings, or suggestions returned during policy validation.

  7. To further reduce your policies' permissions to specific actions and resources, view your events in CloudTrail Event history. There you can view detailed information about the specific actions and resources that your user has accessed. For more information, see Viewing CloudTrail Events in the CloudTrail Console in the Amazon CloudTrail User Guide.

  8. After reviewing and validating your policy, save it as AutomationPolicy.

  9. Navigate to the Groups page and choose the Automation group you created previously.

  10. Select the Permissions tab, and then choose Add permissions and select Attach policies.

  11. On the Attach permission policies page, in the Other permissions policies list, select the AutomationPolicy you created previously, then choose Attach policies.

  12. You are returned to the Group details page. there are two policies attached the group, PowerUserAccess and AutomationPolicy. Select the checkbox for PowerUserAccess and then choose Remove. When asked to confirm removal, choose Remove.

The members of the Automation group now have reduced access according to the new policy you created.

More information

For instructions about the other use cases that require an IAM user, see: