Creating an IAM user in your Amazon Web Services account - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating an IAM user in your Amazon Web Services account

Important

IAM best practices recommend that you require human users to use federation with an identity provider to access Amazon using temporary credentials instead of using IAM users with long-term credentials.

Note

If you found this page because you are looking for information about the Product Advertising API to sell Amazon products on your website, see the Product Advertising API 5.0 Documentation.

If you arrived at this page from the IAM console, it is possible that your account does not include IAM users, even though you are signed in. You could be signed in as the Amazon Web Services account root user, using a role, or signed in with temporary credentials. To learn more about these IAM identities, see IAM Identities (users, user groups, and roles).

The process of creating a user and enabling that user to perform work tasks consists of the following steps:

  1. Create the user in the Amazon Web Services Management Console, the Amazon CLI, Tools for Windows PowerShell, or using an Amazon API operation. If you create the user in the Amazon Web Services Management Console, then steps 1–4 are handled automatically, based on your choices. If you create the users programmatically, then you must perform each of those steps individually.

  2. Create credentials for the user, depending on the type of access the user requires:

    • Enable console access – optional: If the user needs to access the Amazon Web Services Management Console, create a password for the user. Disabling console access for a user prevents them from signing in to the Amazon Web Services Management Console using their user name and password. It does not change their permissions or prevent them from accessing the console using an assumed role.

    Tip

    Create only the credentials that the user needs. For example, for a user who requires access only through the Amazon Web Services Management Console, do not create access keys.

  3. Give the user permissions to perform the required tasks by adding the user to one or more groups. You can also grant permissions by attaching permissions policies directly to the user. However, we recommend instead that you put your users in groups and manage permissions through policies that are attached to those groups. You can also use a permissions boundary to limit the permissions that a user can have, though this is not common.

  4. (Optional) Add metadata to the user by attaching tags. For more information about using tags in IAM, see Tagging IAM resources.

  5. Provide the user with the necessary sign-in information. This includes the password and the console URL for the account sign-in page where the user provides those credentials. For more information, see How IAM users sign in to Amazon.

  6. (Optional) Configure multi-factor authentication (MFA) for the user. MFA requires the user to provide a one-time-use code each time he or she signs into the Amazon Web Services Management Console.

  7. (Optional) Give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permitting IAM users to change their own passwords.

For information about the permissions that you need in order to create a user, see Permissions required to access IAM resources.

Creating IAM users (console)

You can use the Amazon Web Services Management Console to create IAM users.

To create an IAM user (console)
  1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to Amazon in the Amazon Sign-In User Guide.

  2. On the Console Home page, select the IAM service.

  3. In the navigation pane, select Users and then select Add users.

  4. On the Specify user details page, under User details, in User name, enter the name for the new user. This is their sign-in name for Amazon.

    Note

    The number and size of IAM resources in an Amazon account are limited. For more information, see IAM and Amazon STS quotas. User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser. When a user name is used in a policy or as part of an ARN, the name is case sensitive. When a user name appears to customers in the console, such as during the sign-in process, the user name is case insensitive.

  5. Select Provide user access to the – Amazon Web Services Management Console optional This produces Amazon Web Services Management Console sign-in credentials for the new user.

    You are asked whether you are providing console access to a person. We recommend that you create users in IAM Identity Center rather than IAM.

    • To switch to creating the user in IAM Identity Center, select Specify a user in Identity Center.

      If you have not enabled IAM Identity Center, selecting this option takes you to the service page in the console so that you can enable the service. For details on this procedure, see https://docs.amazonaws.cn/singlesignon/latest/userguide/getting-started.html in the Amazon IAM Identity Center User Guide

      If you have enabled IAM Identity Center, selecting this option takes you to the Specify user details page in IAM Identity Center. For details on this procedure, see https://docs.amazonaws.cn/singlesignon/latest/userguide/addusers.html in the Amazon IAM Identity Center User Guide

    • If you cannot use IAM Identity Center, select I want to create an IAM user and continue following this procedure.

    1. For Console password, select one of the following:

      • Autogenerated password – The user gets a randomly generated password that meets the account password policy. You can view or download the password when you get to the Retrieve password page.

      • Custom password – The user is assigned the password that you enter in the box.

    2. (Optional) Users must create a new password at next sign-in (recommended) is selected by default to ensure that the user is forced to change their password the first time they sign in.

      Note

      If an administrator has enabled the Allow users to change their own password account password policy setting, then this check box does nothing. Otherwise, it automatically attaches an Amazon managed policy named IAMUserChangePassword to the new users. The policy grants them permission to change their own passwords.

  6. Select Next.

  7. On the Set permissions page, specify how you want to assign permissions for this user. Select one of the following three options:

    • Add user to group – Select this option if you want to assign the user to one or more groups that already have permissions policies. IAM displays a list of the groups in your account, along with their attached policies. You can select one or more existing groups, or select Create group to create a new group. For more information, see Changing permissions for an IAM user.

    • Copy permissions – Select this option to copy all of the group memberships, attached managed policies, embedded inline policies, and any existing permissions boundaries from an existing user to the new user. IAM displays a list of the users in your account. Select the one whose permissions most closely match the needs of your new user.

    • Attach policies directly – Select this option to see a list of the Amazon managed and customer managed policies in your account. Select the policies that you want to attach to the user or select Create policy to open a new browser tab and create a new policy. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to add the policy to the user.

      Tip

      Whenever possible, attach your policies to a group and then make users members of the appropriate groups.

  8. (Optional) Set a permissions boundary. This is an advanced feature.

    Open the Permissions boundary section and select Use a permissions boundary to control the maximum permissions. IAM displays a list of the Amazon managed and customer managed policies in your account. Select the policy to use for the permissions boundary or select Create policy to open a new browser tab and create a new policy. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary.

  9. Select Next.

  10. (Optional) On the Review and create page, under Tags, select Add new tag to add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources.

  11. Review all of the choices you made up to this point. When you are ready to proceed, select Create user.

  12. On the Retrieve password page, get the password assigned to the user:

    • Select Show next to the password to view the user's password so that you can record it manually.

    • Select Download .csv to download the user's sign in credentials as a .csv file that you can save to a safe location.

  13. Select Email sign-in instructions. Your local mail client opens with a draft that you can customize and send to the user. The email template includes the following details to each user:

    • User name

    • URL to the account sign-in page. Use the following example, substituting the correct account ID number or account alias:

      https://Amazon-account-ID or alias.signin.amazonaws.cn/console
    Important

    The user's password is not included in the generated email. You must provide the password to the user in a way that complies with your organization's security guidelines.

  14. If the user also requires access keys, refer to Managing access keys for IAM users.

Creating IAM users (Amazon CLI)

You can use the Amazon CLI to create an IAM user.

To create an IAM user (Amazon CLI)
  1. Create a user.

  2. (Optional) Give the user access to the Amazon Web Services Management Console. This requires a password. You must also give the user the URL of your account's sign-in page.

  3. (Optional) Give the user programmatic access. This requires access keys.

    • aws iam create-access-key

    • Tools for Windows PowerShell: New-IAMAccessKey

    • IAM API: CreateAccessKey

      Important

      This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the Amazon API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

  4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.

  5. (Optional) Attach a policy to the user that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.

  6. (Optional) Add custom attributes to the user by attaching tags. For more information, see Managing tags on IAM users (Amazon CLI or Amazon API).

  7. (Optional) Give the user permission to manage their own security credentials. For more information, see Amazon: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page.

Creating IAM users (Amazon API)

You can use the Amazon API to create an IAM user.

To create an IAM user from the (Amazon API)
  1. Create a user.

  2. (Optional) Give the user access to the Amazon Web Services Management Console. This requires a password. You must also give the user the URL of your account's sign-in page.

  3. (Optional) Give the user programmatic access. This requires access keys.

    • CreateAccessKey

      Important

      This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the Amazon API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

  4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.

  5. (Optional) Attach a policy to the user that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.

  6. (Optional) Add custom attributes to the user by attaching tags. For more information, see Managing tags on IAM users (Amazon CLI or Amazon API).

  7. (Optional) Give the user permission to manage their own security credentials. For more information, see Amazon: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page.