Amazon’s Identity and Access Management service allows us to create users under a single Amazon Web Services account rather than signing each user up with their own Amazon Web Services account. Here we will see how to create such a user.
We will need AWS CLI or IAM Command Line Toolkit for these examples.
Create User
Let us create a user that will have full permissions on the account, and we shall name the account iam_user. We can give a path if we want to delineate users in our organization, but here we will just use a / for the path.
Example API Request
1
2
3
4
5 https://iam.amazonaws.com/
?Action=CreateUser
&Path=/
&UserName=iam_user
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2
3 aws iam create-user \
--path "/" \
--user-name "iam_user"
Output
1
2
3
4
5
6
7
8
9 {
"User" : {
"UserName" : "iam_user" ,
"Path" : "/" ,
"CreateDate" : "2014-07-01T08:36:34.909Z" ,
"UserId" : "AIDAIO5RBZPVAWEXAMPLE" ,
"Arn" : "arn:aws:iam::123456789012:user/iam_user"
}
}
Console - user@hostname ~ $
1 iam-usercreate -u iam_user -p / -v
Output
1
2 arn:aws:iam::123456789012:user/iam_user
AKIACOOB5BQVEXAMPLE
Grant Permissions
We now need to give the rules of what the user can do. For this example we will allow them to do all actions on all resources.
Example API Request
1
2
3
4
5
6 https://iam.amazonaws.com/
?Action=PutUserPolicy
&UserName=iam_user
&PolicyName=AllAccessPolicy
&PolicyDocument={"Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2
3
4 aws iam put-user-policy \
--user-name "iam_user" \
--policy-name "AllAccessPolicy" \
--policy-document "{ \" Statement \" :[{ \" Effect \" : \" Allow \" , \" Action \" : \" * \" , \" Resource \" : \" * \" }]}"
Console - user@hostname ~ $
1
2
3
4 iam-useruploadpolicy \
-u iam_user \
-p AllAccessPolicy \
-o { "Statement" :[{ "Effect" :"Allow" ,"Action" :"*" ,"Resource" :"*" }]}
Access Key
Now that the user is set up and has their permissions set, we now need to be able to let the individual who is receiving the account the ability to access it. Now we will generate a secret access key for the account. For access using X.509 certificates, see our HowTo: Generate an X.509 Certificate for an Amazon IAM User article.
Example API Request
1
2
3
4 https://iam.amazonaws.com/
?Action=CreateAccessKey
&UserName=iam_user
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2 aws iam create-access-key \
--user-name "iam_user"
Output
1
2
3
4
5
6
7
8
9 {
"AccessKey" : {
"UserName" : "iam_user" ,
"Status" : "Active" ,
"CreateDate" : "2014-07-01T08:45:29.194Z" ,
"SecretAccessKey" : "BvQW1IpqVzRdbwPUirD3pK6L8ngoX4PTEXAMPLE" ,
"AccessKeyId" : "AKIACOOB5BQVEXAMPLE"
}
}
Console - user@hostname ~ $
1 iam-useraddkey -u iam_user
Output
1
2 AKIACOOB5BQVEXAMPLE
BvQW1IpqVzRdbwPUirD3pK6L8ngoX4PTEXAMPLE
Console Login
Amazon IAM users can access the AWS Management Console at https://our_AWS_Acccount_ID .service , for example,
https://123456789012.signin.aws.amazon.com/console/ec2But we need to set up a login profile for the user, so they can have a password to use.
Example API Request
1
2
3
4
5 https://iam.amazonaws.com/
?Action=CreateLoginProfile
&UserName=iam_user
&Password=somePassword
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2
3 aws iam create-login-profile \
--user-name "iam_user" \
--password "somePassword"
Console - user@hostname ~ $
1 iam-useraddloginprofile -u iam_user -p somePassword
Console Alias
If we want an easier URL to remember for our users to login to the AWS Management Console, we can create an account alias. In this example, we will use example, which will let our users login at https://. Account aliases need to be globally unique.
Example API Request
1
2
3
4 https://iam.amazonaws.com/
?Action=CreateAccountAlias
&AccountAlias=example
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2 aws iam create-account-alias \
--account-alias "example"
Console - user@hostname ~ $
1 iam-accountaliascreate -a example
Get User Info
If we want to get information about the user, we can start with this:
Example API Request
1
2
3
4 https://iam.amazonaws.com/
?Action=GetUser
&UserName=iam_user
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2 aws iam get-user \
--user-name "iam_user"
Output
1
2
3
4
5
6
7
8
9 {
"User" : {
"UserName" : "iam_user" ,
"Path" : "/" ,
"CreateDate" : "2014-07-01T08:36:34Z" ,
"UserId" : "AIDAIO5RBZPVAWEXAMPLE" ,
"Arn" : "arn:aws:iam::123456789012:user/iam_user"
}
}
Console - user@hostname ~ $
1 iam-usergetattributes -u iam_user
Output
1
2 arn:aws:iam::123456789012:user/iam_user
AKIACOOB5BQVEXAMPLE
Get User Policies
We can see what policies the user has like so:
Example API Request
1
2
3
4 https://iam.amazonaws.com/
?Action=ListUserPolicies
&UserName=iam_user
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2 aws iam list-user-policies \
--user-name "iam_user"
Output
1
2
3
4
5 {
"PolicyNames" : [
"AllAccessPolicy"
]
}
Console - user@hostname ~ $
1 iam-userlistpolicies -u iam_user
Output
1
2 AllAccessPolicy
IsTruncated: false
Show Policy
And we can display the policy like so:
Example API Request
1
2
3
4
5 https://iam.amazonaws.com/
?Action=GetUserPolicy
&UserName=iam_user
&PolicyName=AllAccessPolicy
&*AUTHPARAMS*
AWS CLI
Console - user@hostname ~ $
1
2
3 aws iam get-user-policy \
--user-name "iam_user" \
--policy-name "AllAccessPolicy"
Output
1
2
3
4
5
6
7
8
9
10
11
12
13 {
"UserName" : "iam_user" ,
"PolicyName" : "AllAccessPolicy" ,
"PolicyDocument" : {
"Statement" : [
{
"Action" : "*" ,
"Resource" : "*" ,
"Effect" : "Allow"
}
]
}
}
Console - user@hostname ~ $
1 iam-userlistpolicies -u iam_user -p AllAccessPolicy
Output
1 {"Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}