Using Amazon CloudShell to work with Amazon Identity and Access Management - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon CloudShell to work with Amazon Identity and Access Management

Amazon CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the Amazon Web Services Management Console. You can run Amazon CLI commands against Amazon services (including Amazon Identity and Access Management) using your preferred shell (Bash, PowerShell or Z shell). And you can do this without needing to download or install command line tools.

You launch Amazon CloudShell from the Amazon Web Services Management Console, and the Amazon credentials you used to sign in to the console are automatically available in a new shell session. This pre-authentication of Amazon CloudShell users allows you to skip configuring credentials when interacting with Amazon services such as IAM using Amazon CLI version 2 (pre-installed on the shell's compute environment).

Obtaining IAM permissions for Amazon CloudShell

Using the access management resources provided by Amazon Identity and Access Management, administrators can grant permissions to IAM users so they can access Amazon CloudShell and use the environment's features.

The quickest way for an administrator to grant access to users is through an Amazon managed policy. An Amazon managed policy is a standalone policy that's created and administered by Amazon. The following Amazon managed policy for CloudShell can be attached to IAM identities:

  • AWSCloudShellFullAccess: Grants permission to use Amazon CloudShell with full access to all features.

If you want to limit the scope of actions that an IAM user can perform with Amazon CloudShell, you can create a custom policy that uses the AWSCloudShellFullAccess managed policy as a template. For more information about limiting the actions that are available to users in CloudShell, see Managing Amazon CloudShell access and usage with IAM policies in the Amazon CloudShell User Guide.

Interacting with IAM using Amazon CloudShell

After you launch Amazon CloudShell from the Amazon Web Services Management Console, you can immediately start to interact with IAM using the command line interface.

Note

When using Amazon CLI in Amazon CloudShell, you don't need to download or install any additional resources. Moreover, because you're already authenticated within the shell, you don't need to configure credentials before making calls.

Create an IAM group and add an IAM user to the group using Amazon CloudShell

The following example uses CloudShell to create an IAM group, add an IAM user to the group, and then verify that the command succeeded.

  1. From the Amazon Web Services Management Console, you can launch CloudShell by choosing the following options available on the navigation bar:

    • Choose the CloudShell icon.

    • Start typing "cloudshell" in Search box and then choose the CloudShell option.

  2. To create an IAM group, enter the following command in the CloudShell command line. In this example we named the group east_coast:

    aws iam create-group --group-name east_coast

    If the call is successful, the command line displays a response from the service similar to the following output:

    { "Group": { "Path": "/", "GroupName": "east_coast", "GroupId": "AGPAYBDBW4JBY3EXAMPLE", "Arn": "arn:aws:iam::111122223333:group/east_coast", "CreateDate": "2023-09-11T21:02:21+00:00" } }
  3. To add a user to the group that you created, use the following command, specifying the group name and username. In this example we named the group east_coast and the user johndoe:

    aws iam add-user-to-group --group-name east_coast --user-name johndoe
  4. To verify that the user is in the group, use the following command, specifying the group name. In this example we continue using the group east_coast :

    aws iam get-group --group-name east_coast

    If the call is successful, the command line displays a response from the service similar to the following output:

    { "Users": [ { "Path": "/", "UserName": "johndoe", "UserId": "AIDAYBDBW4JBXGEXAMPLE", "Arn": "arn:aws:iam::552108220995:user/johndoe", "CreateDate": "2023-09-11T20:43:14+00:00", "PasswordLastUsed": "2023-09-11T20:59:14+00:00" } ], "Group": { "Path": "/", "GroupName": "east_coast", "GroupId": "AGPAYBDBW4JBY3EXAMPLE", "Arn": "arn:aws:iam::111122223333:group/east_coast", "CreateDate": "2023-09-11T21:02:21+00:00" } }