aws-iam

List users

$ aws iam list-users

$ aws iam list-policies

$ aws iam list-groups

$ aws iam get-group --group-name [group_name]

$ aws iam get-policy --policy-arn arn:aws:iam::aws:policy/[policy_name]

$ aws iam list-access-keys

$ aws iam list-access-keys --user-name [user_name]

$ aws iam help

The general syntax for using the aws iam subcommand is:

aws iam <subcommand> [<options>] [<parameters>]

<subcommand> refers to a specific IAM operation (e.g., create-user, list-users, attach-user-policy).
<options> are global AWS CLI options (e.g., --region, --output, --profile).
<parameters> are specific to the chosen IAM subcommand (e.g., --user-name, --policy-arn).

Examples:
aws iam list-users
aws iam create-user --user-name myNewUser
aws iam attach-user-policy --user-name myUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

list-users
    Lists IAM users. Does not take direct parameters but supports global AWS CLI options (e.g., --max-items, --starting-token).

create-user
    Creates a new IAM user.
Key parameters: --user-name <string> (required), --path <string>.

get-user
    Retrieves information about a specific IAM user.
Key parameter: --user-name <string> (optional, defaults to the current user).

delete-user
    Deletes an IAM user.
Key parameter: --user-name <string> (required).

create-role
    Creates a new IAM role.
Key parameters: --role-name <string> (required), --assume-role-policy-document <string> (required, typically JSON).

attach-user-policy
    Attaches a managed policy to an IAM user.
Key parameters: --user-name <string> (required), --policy-arn <string> (required).

list-policies
    Lists managed policies.
Supports filtering parameters like --scope, --only-attached.

get-policy
    Retrieves information about a specific managed policy.
Key parameter: --policy-arn <string> (required).

The aws iam command is a crucial subcommand of the AWS Command Line Interface (CLI), enabling direct interaction with the AWS Identity and Access Management (IAM) service from your terminal. IAM is a web service that helps you securely control access to AWS resources. Using aws iam, administrators and developers can programmatically manage users, groups, roles, policies, and identity providers. This includes tasks such as creating and deleting users, assigning permissions, managing access keys, configuring multi-factor authentication (MFA) devices, and setting up trust policies for roles. It provides a powerful alternative to the AWS Management Console for automating IAM tasks, integrating with scripts, and streamlining infrastructure as code workflows.

Permissions: To execute aws iam commands, the AWS credentials configured for the CLI (via environment variables, shared credentials file, or IAM role) must have the necessary IAM permissions. For example, to create a user, the principal must have iam:CreateUser permission.
Region: While IAM is a global service, some AWS CLI commands might implicitly rely on a configured default region or require the --region option for other services. For IAM specific actions, the region usually defaults to us-east-1 but can generally be omitted.
Rate Limits: AWS IAM API calls are subject to rate limits. Scripts making a high volume of calls in a short period may encounter throttling errors. Implement retry mechanisms with exponential backoff if necessary.
JSON Output: Many IAM commands return JSON output, which can be verbose. Tools like jq are invaluable for parsing and filtering this output.
Security Best Practices: Exercise caution when creating or modifying IAM entities. Adhere to the principle of least privilege, granting only the necessary permissions. Avoid hardcoding sensitive credentials.

By default, aws iam commands output JSON. You can specify other formats using the --output global option, such as text or table, which can be more human-readable for certain commands.
Example: aws iam list-users --output table

For commands that can return a large number of items (e.g., list-users), the AWS CLI automatically handles pagination. You can control this behavior using --max-items (maximum items to return in a single call) and --starting-token (token to resume a previous paginated request).

The AWS Command Line Interface (CLI) was initially released in 2013, providing a unified tool to manage AWS services. Prior to the CLI, interaction with AWS APIs primarily involved SDKs or the AWS Management Console. As a core AWS service, IAM capabilities were integrated into the CLI early on. The development of aws iam as a subcommand reflects the increasing need for programmatic and automated management of AWS identities and access policies, especially with the rise of DevOps, infrastructure as code, and continuous delivery practices. It has evolved with the IAM service, incorporating new features like permission boundaries, service-linked roles, and enhanced policy management.

aws(1): The main AWS Command Line Interface command, of which iam is a subcommand., aws configure(1): Used to set up and manage AWS CLI configuration profiles (credentials, default region, output format)., jq(1): A lightweight and flexible command-line JSON processor, commonly used to parse the output of AWS CLI commands., less(1): A pager program often used to view extensive JSON output from AWS CLI commands.