Using IAM in the Amazon CLI - Amazon Command Line Interface
Creating IAM users and groupsAttaching an IAM managed policy to a userSetting an initial password for an IAM userCreating an access key for an IAM user
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.

Using IAM in the Amazon CLI

An introduction to Amazon Identity and Access Management

You can access the features of Amazon Identity and Access Management (IAM) using the Amazon Command Line Interface (Amazon CLI). To list the Amazon CLI commands for IAM, use the following command.

aws iam help

This topic shows examples of Amazon CLI commands that perform common tasks for IAM.

Before you run any commands, set your default credentials. For more information, see Configuring settings for the Amazon CLI.

For more information on the IAM service, see the Amazon Identity and Access Management User Guide.

Creating IAM users and groups

To create a group and add a new user to it

  1. Use the create-group command to create the group.

    $ aws iam create-group --group-name MyIamGroup
{
    "Group": {
        "GroupName": "MyIamGroup",
        "CreateDate": "2018-12-14T03:03:52.834Z",
        "GroupId": "AGPAJNUJ2W4IJVEXAMPLE",
        "Arn": "arn:aws-cn:iam::123456789012:group/MyIamGroup",
        "Path": "/"
    }
}

  2. Use the create-user command to create the user.

    $ aws iam create-user --user-name MyUser
{
    "User": {
        "UserName": "MyUser",
        "Path": "/",
        "CreateDate": "2018-12-14T03:13:02.581Z",
        "UserId": "AIDAJY2PE5XUZ4EXAMPLE",
        "Arn": "arn:aws-cn:iam::123456789012:user/MyUser"
    }
}

  3. Use the add-user-to-group command to add the user to the group.

    $ aws iam add-user-to-group --user-name MyUser --group-name MyIamGroup

  4. To verify that the MyIamGroup group contains the MyUser, use the get-group command.

    $ aws iam get-group --group-name MyIamGroup
{
    "Group": {
        "GroupName": "MyIamGroup",
        "CreateDate": "2018-12-14T03:03:52Z",
        "GroupId": "AGPAJNUJ2W4IJVEXAMPLE",
        "Arn": "arn:aws-cn:iam::123456789012:group/MyIamGroup",
        "Path": "/"
    },
    "Users": [
        {
            "UserName": "MyUser",
            "Path": "/",
            "CreateDate": "2018-12-14T03:13:02Z",
            "UserId": "AIDAJY2PE5XUZ4EXAMPLE",
            "Arn": "arn:aws-cn:iam::123456789012:user/MyUser"
        }
    ],
    "IsTruncated": "false"
}

Attaching an IAM managed policy to a user

The policy in this example provides the user with "Power User Access".

To attach an IAM managed policy to a user

  1. Determine the Amazon Resource Name (ARN) of the policy to attach. The following command uses list-policies to find the ARN of the policy with the name PowerUserAccess. It then stores that ARN in an environment variable.

    $ export POLICYARN=$(aws iam list-policies --query 'Policies[?PolicyName==`PowerUserAccess`].{ARN:Arn}' --output text)       ~
$ echo $POLICYARN
arn:aws-cn:iam::aws:policy/PowerUserAccess

  2. To attach the policy, use the attach-user-policyattach-user-policy command, and reference the environment variable that holds the policy ARN.

    $ aws iam attach-user-policy --user-name MyUser --policy-arn $POLICYARN

  3. Verify that the policy is attached to the user by running the list-attached-user-policies command.

    $ aws iam list-attached-user-policies --user-name MyUser
{
    "AttachedPolicies": [
        {
            "PolicyName": "PowerUserAccess",
            "PolicyArn": "arn:aws-cn:iam::aws:policy/PowerUserAccess"
        }
    ]
}

For more information, see Access Management Resources. This topic provides links to an overview of permissions and policies, and links to examples of policies for accessing Amazon S3, Amazon EC2, and other services.

Setting an initial password for an IAM user

The following command uses create-login-profile to set an initial password on the specified user. When the user signs in for the first time, the user is required to change the password to something that only the user knows.

$ aws iam create-login-profile --user-name MyUser --password My!User1Login8P@ssword --password-reset-required
{
    "LoginProfile": {
        "UserName": "MyUser",
        "CreateDate": "2018-12-14T17:27:18Z",
        "PasswordResetRequired": true
    }
}

You can use the update-login-profile command to change the password for a user.

$ aws iam update-login-profile --user-name MyUser --password My!User1ADifferentP@ssword

Creating an access key for an IAM user

You can use the create-access-key command to create an access key for a user. An access key is a set of security credentials that consists of an access key ID and a secret key.

A user can create only two access keys at one time. If you try to create a third set, the command returns a LimitExceeded error.

$ aws iam create-access-key --user-name MyUser
{
    "AccessKey": {
        "UserName": "MyUser",
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "Status": "Active",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "CreateDate": "2018-12-14T17:34:16Z"
    }
}

Use the delete-access-key command to delete an access key for a user. Specify which access key to delete by using the access key ID.

$ aws iam delete-access-key --user-name MyUser --access-key-id AKIAIOSFODNN7EXAMPLE