Rename an IAM user - Amazon Identity and Access Management
Renaming an IAM user
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Rename an IAM user

Note

As a best practice, we recommend that you require human users to use federation with an identity provider to access Amazon using temporary credentials. If you follow the best practices, you are not managing IAM users and groups. Instead, your users and groups are managed outside of Amazon and are able to access Amazon resources as a federated identity. A federated identity is a user from your enterprise user directory, a web identity provider, the Amazon Directory Service, the Identity Center directory, or any user that accesses Amazon services by using credentials provided through an identity source. Federated identities use the groups defined by their identity provider. If you are using Amazon IAM Identity Center, see Manage identities in IAM Identity Center in the Amazon IAM Identity Center User Guide for information about creating users and groups in IAM Identity Center.

Amazon Web Services offers multiple tools for managing the IAM users in your Amazon Web Services account. You can list the IAM users in your account or in a user group, or list all IAM groups that a user is a member of. You can rename or change the path of an IAM user. If you are moving to using federated identities instead of IAM users, you can delete an IAM user from your Amazon account, or deactivate the user.

For more information about adding, changing, or removing managed policies for an IAM user, see Change permissions for an IAM user. For information about managing inline policies for IAM users, see Adding and removing IAM identity permissions, Edit IAM policies, and Delete IAM policies. As a best practice, use managed policies instead of inline policies. Amazon managed policies grant permissions for many common use cases. Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they are available for use by all Amazon customers. As a result, we recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases. For more information, see Amazon managed policies. For more information about Amazon managed policies that are designed for specific job functions, see Amazon managed policies for job functions.

To learn about validating IAM policies, see IAM policy validation.

Tip

IAM Access Analyzer can analyze the services and actions that your IAM roles use, and then generate a fine-grained policy that you can use. After you test each generated policy, you can deploy the policy to your production environment. This ensures that you grant only the required permissions to your workloads. For more information about policy generation, see IAM Access Analyzer policy generation.

For information about managing IAM user passwords, see Manage passwords for IAM users.

Renaming an IAM user

To change a user's name or path, you must use the Amazon CLI, Tools for Windows PowerShell, or Amazon API. There is no option in the console to rename a user. For information about the permissions that you need in order to rename a user, see Permissions required to access IAM resources.

When you change a user's name or path, the following happens:

  • Any policies attached to the user stay with the user under the new name.

  • The user stays in the same IAM groups under the new name.

  • The unique ID for the user remains the same. For more information about unique IDs, see Unique identifiers.

  • Any resource or role policies that refer to the user as a principal (the user is being granted access) are automatically updated to use the new name or path. For example, any queue-based policies in Amazon SQS or resource-based policies in Amazon S3 are automatically updated to use the new name and path.

IAM does not automatically update policies that refer to the user as a resource to use the new name or path; you must manually do that. For example, imagine that user Richard has a policy attached to him that lets him manage his security credentials. If an administrator renames Richard to Rich, the administrator also needs to update that policy to change the resource from this:

arn:aws-cn:iam::111122223333:user/division_abc/subdivision_xyz/Richard

to this:

arn:aws-cn:iam::111122223333:user/division_abc/subdivision_xyz/Rich

This is true also if an administrator changes the path; the administrator needs to update the policy to reflect the new path for the user.

To rename a user