Creating an IAM user in your Amazon Web Services account - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Creating an IAM user in your Amazon Web Services account

Important

The IAM best practices have been updated. As a best practice, require human users to use federation with an identity provider to access Amazon using temporary credentials. An additional best practice recommendation is to require workloads to use temporary credentials with IAM roles to access Amazon. IAM users are to be used only in very limited scenarios where an IAM role cannot be assumed. To learn about using Amazon IAM Identity Center (successor to Amazon Single Sign-On) to create users with temporary credentials, see Getting started in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide.

Note

If you found this page because you are looking for information about the Product Advertising API to sell Amazon products on your website, see the Product Advertising API 5.0 Documentation.

If you arrived at this page from the IAM console, it is possible that your account does not include IAM users, even though you are signed in. You could be signed in as the Amazon Web Services account root user, using a role, or signed in with temporary credentials. To learn more about these IAM identities, see IAM Identities (users, user groups, and roles).

The process of creating a user and enabling that user to perform work tasks consists of the following steps:

  1. Create the user in the Amazon Web Services Management Console, the Amazon CLI, Tools for Windows PowerShell, or using an Amazon API operation. If you create the user in the Amazon Web Services Management Console, then steps 1–4 are handled automatically, based on your choices. If you create the users programmatically, then you must perform each of those steps individually.

  2. Create credentials for the user, depending on the type of access the user requires:

    • Enable console access – optional: If the user needs to access the Amazon Web Services Management Console, create a password for the user. Disabling console access for a user prevents them from signing in to the Amazon Web Services Management Console using their user name and password. It does not change their permissions or prevent them from accessing the console using an assumed role.

    Tip

    Create only the credentials that the user needs. For example, for a user who requires access only through the Amazon Web Services Management Console, do not create access keys.

  3. Give the user permissions to perform the required tasks by adding the user to one or more groups. You can also grant permissions by attaching permissions policies directly to the user. However, we recommend instead that you put your users in groups and manage permissions through policies that are attached to those groups. You can also use a permissions boundary to limit the permissions that a user can have, though this is not common.

  4. (Optional) Add metadata to the user by attaching tags. For more information about using tags in IAM, see Tagging IAM resources.

  5. Provide the user with the necessary sign-in information. This includes the password and the console URL for the account sign-in page where the user provides those credentials. For more information, see How IAM users sign in to Amazon.

  6. (Optional) Configure multi-factor authentication (MFA) for the user. MFA requires the user to provide a one-time-use code each time he or she signs into the Amazon Web Services Management Console.

  7. (Optional) Give users permissions to manage their own security credentials. (By default, users do not have permissions to manage their own credentials.) For more information, see Permitting IAM users to change their own passwords.

For information about the permissions that you need in order to create a user, see Permissions required to access IAM resources.

Creating IAM users (console)

You can use the Amazon Web Services Management Console to create IAM users.

To create an IAM user (console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users and then choose Add user.

  3. Type the user name for the new user. This is the sign-in name for Amazon.

    Note

    The number and size of IAM resources in an Amazon account are limited. For more information, see IAM and Amazon STS quotas, name requirements, and character limits. User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. They are not distinguished by case. For example, you cannot create two users named TESTUSER and testuser.

  4. Select the type of access this user will have.

    • Select Enable console access – optional if the user requires access to the Amazon Web Services Management Console. This creates a password for the new user.

    1. For Console password, choose one of the following:

      • Autogenerated password – The user gets a randomly generated password that meets the account password policy. You can view or download the password when you get to the Retrieve password page.

      • Custom password – The user is assigned the password that you type in the box.

    2. (Optional) We recommend that you select Users must create a new password at next sign-in (recommended) to ensure that the user is forced to change their password the first time they sign in.

      Note

      If an administrator has enabled the Allow users to change their own password account password policy setting, then this check box does nothing. Otherwise, it automatically attaches an Amazon managed policy named IAMUserChangePassword to the new users. The policy grants them permission to change their own passwords.

  5. Choose Next.

  6. On the Set permissions page, specify how you want to assign permissions to this set of new users. Choose one of the following three options:

    • Add user to group – Choose this option if you want to assign the user to one or more groups that already have permissions policies. IAM displays a list of the groups in your account, along with their attached policies. You can select one or more existing groups, or choose Create group to create a new group. For more information, see Changing permissions for an IAM user.

    • Copy permissions – Choose this option to copy all of the group memberships, attached managed policies, embedded inline policies, and any existing permissions boundaries from an existing user to the new user. IAM displays a list of the users in your account. Select the one whose permissions most closely match the needs of your new users.

    • Attach policies directly – Choose this option to see a list of the Amazon managed and customer managed policies in your account. Select the policies that you want to attach to the new user or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to add the policy to the new user.

      Tip

      Whenever possible, attach your policies to a group and then make users members of the appropriate groups.

  7. (Optional) Set a permissions boundary. This is an advanced feature.

    Open the Permissions boundary section and choose Use a permissions boundary to control the maximum permissions. IAM displays a list of the Amazon managed and customer managed policies in your account. Select the policy to use for the permissions boundary or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure Creating IAM policies. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary.

  8. Choose Next.

  9. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources.

  10. On the Review and create page, review all of the choices you made up to this point. When you are ready to proceed, choose Create user.

  11. To view the user's password on the Retrieve password page, choose Show next to the password that you want to see. To save the password, choose Download .csv and then save the file to a safe location.

  12. Provide the user with their credentials. On the Retrieve password page you can choose Email sign-in instructions. Your local mail client opens with a draft that you can customize and send. The email template includes the following details to each user:

    • User name

    • URL to the account sign-in page. Use the following example, substituting the correct account ID number or account alias:

      https://Amazon-account-ID or alias.signin.amazonaws.cn/console

    For more information, see How IAM users sign in to Amazon.

    Important

    The user's password is not included in the generated email. You must provide them to the customer in a way that complies with your organization's security guidelines.

Creating IAM users (Amazon CLI)

You can use the Amazon CLI to create an IAM user.

To create an IAM user (Amazon CLI)
  1. Create a user.

  2. (Optional) Give the user access to the Amazon Web Services Management Console. This requires a password. You must also give the user the URL of your account's sign-in page.

  3. (Optional) Give the user programmatic access. This requires access keys.

    • aws iam create-access-key

    • Tools for Windows PowerShell: New-IAMAccessKey

    • IAM API: CreateAccessKey

      Important

      This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the Amazon API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

  4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.

  5. (Optional) Attach a policy to the user that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.

  6. (Optional) Add custom attributes to the user by attaching tags. For more information, see Managing tags on IAM users (Amazon CLI or Amazon API).

  7. (Optional) Give the user permission to manage their own security credentials. For more information, see Amazon: Allows MFA-authenticated IAM users to manage their own credentials on the My security credentials page.

Creating IAM users (Amazon API)

You can use the Amazon API to create an IAM user.

To create an IAM user from the (Amazon API)
  1. Create a user.

  2. (Optional) Give the user access to the Amazon Web Services Management Console. This requires a password. You must also give the user the URL of your account's sign-in page.

  3. (Optional) Give the user programmatic access. This requires access keys.

    • CreateAccessKey

      Important

      This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the Amazon API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.

  4. Add the user to one or more groups. The groups that you specify should have attached policies that grant the appropriate permissions for the user.

  5. (Optional) Attach a policy to the user that defines the user's permissions. Note: We recommend that you manage user permissions by adding the user to a group and attaching a policy to the group instead of attaching directly to a user.

  6. (Optional) Add custom attributes to the user by attaching tags. For more information, see Managing tags on IAM users (Amazon CLI or Amazon API).

  7. (Optional) Give the user permission to manage their own security credentials. For more information, see Amazon: Allows MFA-authenticated IAM users to manage their own credentials on the My security credentials page.