Manage passwords for IAM users
IAM users who use the Amazon Web Services Management Console to work with Amazon resources must have a password in order to sign in. You can create, change, or delete a password for an IAM user in your Amazon account.
After you have assigned a password to a user, the user can sign in to the Amazon Web Services Management Console using the sign-in URL for your account, which looks like this:
https://
12-digit-Amazon-account-ID or alias
.signin.amazonaws.cn/console
For more information about how IAM users sign in to the Amazon Web Services Management Console, see How to sign in to Amazon in the Amazon Sign-In User Guide.
Even if your users have their own passwords, they still need permissions to access your Amazon resources. By default, a user has no permissions. To give your users the permissions they need, you assign policies to them or to the groups they belong to. For information about creating users and groups, see IAM Identities . For information about using policies to set permissions, see Change permissions for an IAM user.
You can grant users permission to change their own passwords. For more information, see Permit IAM users to change their own passwords. For information about how users access your account sign-in page, see How to sign in to Amazon in the Amazon Sign-In User Guide.
Creating, changing, or deleting an IAM user password (console)
You can use the Amazon Web Services Management Console to manage passwords for your IAM users.
The access needs of your users can change over time. You might need to enable a user intended for CLI access to have console access, change a user's password because they receive the email with their credentials, or delete a user when they leave your organization or no longer need Amazon access.
To create an IAM user password (console)
Use this procedure to give a user console access by creating a password that is associated with the username.
To change the password for an IAM user (console)
Use this procedure to update a password that is associated with the username.
To delete (disable) an IAM user password (console)
Use this procedure to delete a password that is associated with the username, removing console access for the user.
Important
You can prevent an IAM user from accessing the Amazon Web Services Management Console by removing their password. This prevents them from signing in to the Amazon Web Services Management Console using their sign-in credentials. It does not change their permissions or prevent them from accessing the console using an assumed role. If the user has active access keys, they continue to function and allow access through the Amazon CLI, Tools for Windows PowerShell, Amazon API, or the Amazon Console Mobile Application.
Creating, changing, or deleting an IAM user password (Amazon CLI)
You can use the Amazon CLI API to manage passwords for your IAM users.
To create a password (Amazon CLI)
-
(Optional) To determine whether a user has a password, run this command: aws iam get-login-profile
-
To create a password, run this command: aws iam create-login-profile
To change a user's password (Amazon CLI)
-
(Optional) To determine whether a user has a password, run this command: aws iam get-login-profile
-
To change a password, run this command: aws iam update-login-profile
To delete (disable) a user's password (Amazon CLI)
-
(Optional) To determine whether a user has a password, run this command: aws iam get-login-profile
-
(Optional) To determine when a password was last used, run this command: aws iam get-user
-
To delete a password, run this command: aws iam delete-login-profile
Important
When you delete a user's password, the user can no longer sign in to the Amazon Web Services Management Console. If the user has active access keys, they continue to function and allow access through the Amazon CLI, Tools for Windows PowerShell, or Amazon API function calls. When you use the Amazon CLI, Tools for Windows PowerShell, or Amazon API to delete a user from your Amazon Web Services account, you must first delete the password using this operation. For more information, see Deleting an IAM user (Amazon CLI).
To revoke a user's active console sessions before a specified time (Amazon CLI)
-
To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: aws iam put-user-policy
This inline policy denies all permissions and includes the
aws:TokenIssueTime
condition key. It revokes the user's active console sessions before the specified time in theCondition
element of the inline policy. Replace theaws:TokenIssueTime
condition key value with your own value.{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "DateLessThan": { "aws:TokenIssueTime": "
2014-05-07T23:47:00Z
" } } } } -
(Optional) To list the names of the inline policies embedded in the IAM user, run this command: aws iam list-user-policies
-
(Optional) To view the named inline policy embedded in the IAM user, run this command: aws iam get-user-policy
Creating, changing, or deleting an IAM user password (Amazon API)
You can use the Amazon API to manage passwords for your IAM users.
To create a password (Amazon API)
-
(Optional) To determine whether a user has a password, call this operation: GetLoginProfile
-
To create a password, call this operation: CreateLoginProfile
To change a user's password (Amazon API)
-
(Optional) To determine whether a user has a password, call this operation: GetLoginProfile
-
To change a password, call this operation: UpdateLoginProfile
To delete (disable) a user's password (Amazon API)
-
(Optional) To determine whether a user has a password, run this command: GetLoginProfile
-
(Optional) To determine when a password was last used, run this command: GetUser
-
To delete a password, run this command: DeleteLoginProfile
Important
When you delete a user's password, the user can no longer sign in to the Amazon Web Services Management Console. If the user has active access keys, they continue to function and allow access through the Amazon CLI, Tools for Windows PowerShell, or Amazon API function calls. When you use the Amazon CLI, Tools for Windows PowerShell, or Amazon API to delete a user from your Amazon Web Services account, you must first delete the password using this operation. For more information, see Deleting an IAM user (Amazon CLI).
To revoke a user's active console sessions before a specified time (Amazon API)
-
To embed an inline policy that revokes an IAM user's active console sessions before a specified time, use the following inline policy and run this command: PutUserPolicy
This inline policy denies all permissions and includes the
aws:TokenIssueTime
condition key. It revokes the user's active console sessions before the specified time in theCondition
element of the inline policy. Replace theaws:TokenIssueTime
condition key value with your own value.{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "DateLessThan": { "aws:TokenIssueTime": "
2014-05-07T23:47:00Z
" } } } } -
(Optional) To list the names of the inline policies embedded in the IAM user, run this command: ListUserPolicies
-
(Optional) To view the named inline policy embedded in the IAM user, run this command: GetUserPolicy